Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Follow on from http://splunk-base.splunk.com/answers/70576/break-a-search-down-per-day

robK123
Explorer
‎01-03-2013 01:19 AM

It will not let me post a comment on the http://splunk-base.splunk.com/answers/70576/break-a-search-down-per-day answer as it says it is too many letters so I have to create a new post (sorry if there is a way to post the comment but could not see how!)

I have created the below search, but I get the following error when I try to run the search but I can not see what I have done wrong.

"Error in 'stats' command: The number of wildcards between field specifier '' and rename specifier 'daily_failure_count' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum()"

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count sshd "pam_ldap: error trying to bind as user" AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎01-03-2013 01:25 AM

well you need to run stats against a field, you can't just run it against a series of words. Just remove the text and run it as a stats count.

E.g.

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎01-03-2013 01:25 AM

well you need to run stats against a field, you can't just run it against a series of words. Just remove the text and run it as a stats count.

E.g.

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count
0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎01-03-2013 03:06 AM

The most important thing to remember is that when you pipe to a command you pass the results of the previous command over, so if you do a statistical command that strips away the time element then you cannot do anything against time in the following commands (well, unless you do some other magic but lets not overcomplicate at the moment 😉 ) Good luck!

0 Karma
Reply
Solved! Jump to solution

robK123
Explorer
‎01-03-2013 02:59 AM

Thanks very much it now works!

I still have lots to learn about splunk 🙂 although I now know a bit more about Top and bucket.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎01-03-2013 01:52 AM

Sorry, I just corrected the error but didn't really read the search. Think it through, you are using top which does a count - how can you then bucket this by time? there is no time element to it anymore as each result has been summarised with a count. Remove the top. Perhaps do something like this; SEARCHTERMS | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count>4 | table_time uid daily_failure_count | top uid limit=8

0 Karma
Reply
Solved! Jump to solution

robK123
Explorer
‎01-03-2013 01:38 AM

Thanks it now lets me run it but it now does not return any results and says "No matching fields exist"

But it does say 147 matching events but it will not show them.

But I know there should be results to see.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...