Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate report of top n search queries

staze
Path Finder
‎09-22-2010 09:54 PM

I'd like to generate a report of N top search queries from my apache weblogs.

Log entry for a search looks like:

123.456.789.000 - - [22/Sep/2010:13:58:18 -0700] "GET /search?SearchableText=Gateway HTTP/1.1" 200 5857 "http://www.example.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"

How would I go about doing this? I mean, I can do something like:

host="www" file="search" SearchableText="*" which returns the search terms in date/time order. But it would be nice to show them in frequency, etc, and return N number (where I can set N to 100, 1000, 10000, etc).

Frequency would probably also have to account for case. So, probably lc all the results, then tally them up.

Thanks!

0 Karma
Reply

staze
Path Finder
‎09-23-2010 05:24 PM

I believe I got it. I'm not sure why it wasn't rendering, but I managed to get it working...

host="www" file="search" SearchableText="*" | top limit=100 SearchableText

So yeah, this works.

0 Karma
Reply

staze
Path Finder
‎09-23-2010 05:23 PM

I think I got it.

host="www" file="search" SearchableText="*" | top limit=100 SearchableText

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-23-2010 12:29 AM

Field names in Splunk are case sensitive. Try: host="www" file="search" SearchableText="*" | top SearchableText

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-22-2010 10:53 PM

A report of top hosts for an error log might be:

index=stuff sourcetype=error_log | top host

If you manually manipulate stats:

index=stuff sourcetype=errors | stats count by host | sort -count | head 10

For your case, you need to extract a field called SearchableText. Once you extract it (via rex or interactive field extraction) you can report by it:

host=www source=<your log file> | rex "SearchableText=(?<SearchableText>.*[^ ]) HTTP" | top SearchableText

Make sure you limit your time range to test this out.

Reply

staze
Path Finder
‎09-22-2010 10:44 PM

So, I've just tried:

host="www" file="search" SearchableText="*" | top searchabletext

but it never seems to render the results (the results section just says "Waiting for Search Preview Results").

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...