Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting the counts by day but keeping the timestamp

totaro
Explorer
‎04-29-2019 07:06 PM

Hi,
Messing with dns logs im trying to get the domain that was only queried afew times per day. However i would also like to keep the timestamp so i know the time of query as well, any way i can do this? my current method is
"|stats count by Date,Query|where count < 5 " but this remove the timestamp

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-29-2019 08:50 PM

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-29-2019 09:52 PM

Try these:

... | eventstats count BY Date Query | where count < 5

OR

...  | stats count list(_time) AS _time BY Date Query | where count < 5
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎04-29-2019 08:50 PM

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...