Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I search count by DN based on my sample event?

sid19920
New Member
‎08-23-2016 07:40 PM

How can I do search count by dn here? tag=101 means search. I have already used transaction conn to separate based on connection numberalt text

Preview file
150 KB
0 Karma
Reply

sundareshr
Legend
‎08-24-2016 10:27 AM

Try this instead of using transaction

*EDITED*

 your base search | eventstats values(dn) as dn by conn | where tag=101 | timechart count by dn usenull=f useother=f
0 Karma
Reply

sid19920
New Member
‎08-24-2016 11:11 AM

This is a preview of how the data is indexed initiallyalt text

0 Karma
Reply

sid19920
New Member
‎08-24-2016 11:29 AM

https://postimg.org/image/igb8y7ohv/. I couldn't as I don't have enough karma points. Can you see the link now?

0 Karma
Reply

sundareshr
Legend
‎08-24-2016 11:36 AM

yes. i see it now

0 Karma
Reply

sundareshr
Legend
‎08-24-2016 11:41 AM

I assume the events you shared are from a search like this your base search tag=101, right? Because I don't see dn= anywhere. Try the updated query I posted.

0 Karma
Reply

sid19920
New Member
‎08-24-2016 11:52 AM

the events i have posted are without any search. Just the raw file. When I do search for tag=101 all the dn fields disappear. I did get an output using the new query but the result is different from what I expected and its not a timechart

0 Karma
Reply

sid19920
New Member
‎08-24-2016 10:40 AM

The graphs should look like this. The first one is for Search count by DN and the second one is for Search count duration by DN. I need help with both pleasealt text

Preview file
135 KB
0 Karma
Reply

sundareshr
Legend
‎08-24-2016 11:00 AM

Try the edited query

0 Karma
Reply

sid19920
New Member
‎08-24-2016 11:07 AM

I did. It doesn't work. I think you'd be able to solve it if I can send you the log file

0 Karma
Reply

sundareshr
Legend
‎08-24-2016 11:22 AM

That'll be great. Share a few events

0 Karma
Reply

sid19920
New Member
‎08-24-2016 11:25 AM

alt text

Thnx.Ive added a link to the image url for you.

0 Karma
Reply

sundareshr
Legend
‎08-24-2016 11:26 AM

I don't see the link. All I see is alt text. Just paste a few events to your original question

0 Karma
Reply

sid19920
New Member
‎08-24-2016 10:36 AM

Thnx for the reply. Sorry but it says "No results". If i don't use transaction then the events are not grouped based on conn number. The DN value is only present after the binding is complete so I used transaction so that the dn and SRCH are grouped in same event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...