Splunk Search

How to find the top 10 events within 24 hours?

N0Excuse_
New Member

Hi, I am new to Splunk, I would like to create a command where it can find top 10 events happened within 24 hours. 

index="name"  events =*| top 10 User | stats count(User) as Count by User | sort - Count | head 10 

 

Labels (2)
0 Karma

jotne
Builder

Do you like top 10 events per user?

 

index="name"  events =*
| stats count by host events
| sort  host -count
| streamstats count as counter by host
| where counter<11
| fields - counter

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

What is the question?  | top 10 User will return ten most populous users and sort in reverse numeric order.  You don't need to count the output.  Are you not getting that with just | top 10 User?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...