Hi,
I'm new to Splunk and I'm trying to make the following search work:
Search:
| >= 50 document queries from the same user on Host x
| within one minute
| concerning 15 or more db records
Thanks in advance.
Like this:
... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15
Like this:
... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15
Hi n00ber,
I'm not sure to understand your need, do you want to search events for each user on host=x and count them every minute; I don't understand the second condition: concerning 15 or more db records.
Anyway, the part I understood should be solved by something like this:
your_search host=x
| timechart span=1m count BY user
| where count>49
In this way you have the users and the minutes where you have more than 49 events.
I'm waiting for more details about your need.
Bye.
Giuseppe
Thanks @gcusello but this query was what I was doing before and not getting what I needed. @woodcock answer met needes!