Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with a search query involving two time ranges

cfortune
Explorer
‎06-27-2012 01:04 PM

We have a Splunk instance here at my job that I've inherited. I rarely have to go do anything in it so my Splunk Fu is definitely lacking. We're looking at some new public file transfer appliance and need to know something kind of odd for licensing (according to my manager anyway).

My manager wants to know, which 60 day period has the highest number of unique user id's that successfully authenticated over the last 2 years. Seems odd that someone would come up with a licensing framework where that matters but I do what I'm told...

Here is an example of our current FTP logs when a user successfully logs in:

2012-06-26 22:55:39 dest_ip 21 2172 source_ip 4964 3248 Username 0 0 - 18 RESPONSE: 230-Welcome Username from dest_ip.

I have custom fields setup for source, destination, and username. What I'm having trouble grasping is how to I look for the top 60 days over the last 2 years.

Any help would be greatly appreciated.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-27-2012 01:42 PM

If it's a rolling 60 day period, you'll want to use a pretty complex class of reports where you use timechart OR stats, and then you use streamstats.

To start you off with a simpler example, here's a report that searches the _internal index and shows total indexing volume for the sourcetype "splunkd", over a rolling 24 hour period.

index=_internal group="per_sourcetype_thruput" series="splunkd" | timechart span="1h" sum(kb) as KB | streamstats sum(KB) as 24HourRollingKB window=24

Your case though, with the distinct counts, is a little more unusual.

This search will give you, for each day, the rolling distinct count of userId's in the last 30 days up to that point.

foo | bin _time span="1d" | stats values(userId) as userId by _time | streamstats dc(userId) window=30

(You might want to put a sort - _time before the streamstats. Sort of depends from what side you want to calculate things)

and then from there you can get the 1 day with the highest rolling-30-day-period distinct userId count by just sorting those results and getting the top value:

foo | bin _time span="1d" | stats values(userId) as userId by _time | streamstats dc(userId) as distinctUsers window=30 | sort - distinctUsers | head 1

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-27-2012 01:42 PM

If it's a rolling 60 day period, you'll want to use a pretty complex class of reports where you use timechart OR stats, and then you use streamstats.

To start you off with a simpler example, here's a report that searches the _internal index and shows total indexing volume for the sourcetype "splunkd", over a rolling 24 hour period.

index=_internal group="per_sourcetype_thruput" series="splunkd" | timechart span="1h" sum(kb) as KB | streamstats sum(KB) as 24HourRollingKB window=24

Your case though, with the distinct counts, is a little more unusual.

This search will give you, for each day, the rolling distinct count of userId's in the last 30 days up to that point.

foo | bin _time span="1d" | stats values(userId) as userId by _time | streamstats dc(userId) window=30

(You might want to put a sort - _time before the streamstats. Sort of depends from what side you want to calculate things)

and then from there you can get the 1 day with the highest rolling-30-day-period distinct userId count by just sorting those results and getting the top value:

foo | bin _time span="1d" | stats values(userId) as userId by _time | streamstats dc(userId) as distinctUsers window=30 | sort - distinctUsers | head 1

Reply
Solved! Jump to solution

cfortune
Explorer
‎06-27-2012 01:25 PM

Good question. I believe it's rolling but I'll ask to make sure. Given the wording of the request, it makes me think it's rolling (he says for ANY 60 day period).

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-27-2012 01:19 PM

Is it a rolling 60 day period, or fixed 2-month period based on something like first-day-of-month?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...