Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to get a daily count of each fieldB by fieldA for 30 days?

mattbirk
Explorer
‎03-11-2015 10:13 AM

The events, each contain fieldA and fieldB (as well as other stuff). Currently, the search below works for 1 day, but I am trying to get a per day result for 30 days:

| top fieldB by fieldA

which returns the count of each fieldB per fieldA...exactly what I want...except I want per day over 30 days.

I cannot do a timechart span=1d because there is no longer a _time field due to the TOP command. Is there a better way to do this without the TOP command? Anything along the lines of a: stats count fieldB by fieldA?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2015 02:27 PM

Try something like this

your base search | bucket span=1d _time | stats count by _time,fieldA,fieldB | sort 0 _time -count | streamstats count as rank sum(count) as Total by _time, fieldA | where rank>=10  | eval percent=round(count*100/Total,2) | table _time, fieldA, fieldB,count,percent

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2015 02:27 PM

Try something like this

your base search | bucket span=1d _time | stats count by _time,fieldA,fieldB | sort 0 _time -count | streamstats count as rank sum(count) as Total by _time, fieldA | where rank>=10  | eval percent=round(count*100/Total,2) | table _time, fieldA, fieldB,count,percent
Reply
Solved! Jump to solution

mattbirk
Explorer
‎03-12-2015 06:57 AM

Oh my, that's awesome! Works perfectly. Not sure I necessarily understand every command in that search, but it works. Can you explain the streamstats and rank command do? I also plan on Gooling them 🙂 Thanks!!

Reply
Solved! Jump to solution

mattbirk
Explorer
‎03-12-2015 08:37 AM

Also, to add: I had to change the where statement to where rank>=0 to get all the results...I noticed I was missing the highest count results. Looks good now...just curious.

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎03-12-2015 08:37 AM

somesoni has a specific set of skills, he finds the questions and then he fixes them.

0 Karma
Reply
Solved! Jump to solution

sk314
Builder
‎03-11-2015 10:57 AM

Have you tried | bucket _time span=1d |chart count(fieldA) over _time by fieldB

and run the search over last 30 days? I am sure there are better ways to do this.

0 Karma
Reply
Solved! Jump to solution

mattbirk
Explorer
‎03-11-2015 02:06 PM

Yea, I'm honestly not sure the best way to do this. There are a LOT of unique values for both fields, so it makes this difficult. I'll try to work with what you suggested as well...see if I can think things up from there.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...