Splunk Search

How to search values from stats to output other stats

n00ber
Engager

Hi,

I'm new to Splunk and I'm trying to make the following search work:

Search:

| >= 50 document queries from the same user on Host x 
| within one minute 
| concerning 15 or more db records

Thanks in advance.

1 Solution

woodcock
Esteemed Legend

Like this:

... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi n00ber,
I'm not sure to understand your need, do you want to search events for each user on host=x and count them every minute; I don't understand the second condition: concerning 15 or more db records.
Anyway, the part I understood should be solved by something like this:

your_search host=x
| timechart span=1m count BY user
| where count>49

In this way you have the users and the minutes where you have more than 49 events.

I'm waiting for more details about your need.

Bye.
Giuseppe

0 Karma

n00ber
Engager

Thanks @gcusello but this query was what I was doing before and not getting what I needed. @woodcock answer met needes!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...