Solved: Getting the counts by day but keeping the timestam...

totaro · ‎04-29-2019

Hi,
Messing with dns logs im trying to get the domain that was only queried afew times per day. However i would also like to keep the timestamp so i know the time of query as well, any way i can do this? my current method is
"|stats count by Date,Query|where count < 5 " but this remove the timestamp

MuS · ‎04-29-2019

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

View solution in original post

woodcock · ‎04-29-2019

Try these:

... | eventstats count BY Date Query | where count < 5

OR

...  | stats count list(_time) AS _time BY Date Query | where count < 5

MuS · ‎04-29-2019

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

Getting the counts by day but keeping the timestamp

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM