Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find spike in total count of a field?

jwalzerpitt
Influencer
‎11-12-2019 06:16 PM

I'd like to be able to search for the following:

1) timechart over X days for the sum of the count of a field
2) spikes or % increase for the sum of the count of a field compared to previous hour, day, week, etc

For example, we are ingesting Palo logs and I'd like to be able to see what fields have the highest sum/total for the time period I run and then also see the % increase/decrease of the sum/total for the field as well compared to an hour/day/week/etc.

Not looking to break the count of the field using 'BY', but just interested in the sum/total of all events for a field

Thx

0 Karma
Reply

codebuilder
Influencer
‎11-14-2019 08:43 PM

Pipe the results of your query to "fieldsummary", which by default provides both "count" and "distinct_count".
I think this will get you the data you're after, based on your question.

See this documentation for more detailed explanation:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldsummary

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...