Solved: Getting the counts by day but keeping the timestam...

totaro · ‎04-29-2019

Hi,
Messing with dns logs im trying to get the domain that was only queried afew times per day. However i would also like to keep the timestamp so i know the time of query as well, any way i can do this? my current method is
"|stats count by Date,Query|where count < 5 " but this remove the timestamp

MuS · ‎04-29-2019

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

View solution in original post

woodcock · ‎04-29-2019

Try these:

... | eventstats count BY Date Query | where count < 5

OR

...  | stats count list(_time) AS _time BY Date Query | where count < 5

MuS · ‎04-29-2019

Hi totaro,

try something like this:

base search here
| stats count values(timestamp) AS timestamp by Date, Query
| where count < 5

this will keep a single or multivalve field with the timestamp in it.

Hope this helps ...

cheers, MuS

Getting the counts by day but keeping the timestamp

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...