Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query for finding highest numbers within time

miha
New Member
‎01-25-2012 12:38 PM

Hello,

I am trying to find a query structure that would find/identify the largest number of single event within the shortest amount of time.

Example: if I had 1000 IP addresses and I wanted to list all the IPs that were closest to each other form a time perspective. The highest number of IP's within the same hour.
or
Highest number of submissions (based off IP address) within an hour.

Thanks,

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-26-2012 06:16 AM

The fast and easy way is to use timechart, assuming that your base search selects the interesting events, and you only need the hour with the highest count, i.e. 

<your search> | timechart span=1h count

The harder way is to find the 60 (or 120) minute period with the highest count (still assuming that your base search will select the interesting events). This search will result in a single line with start and stop times, and of course the max count. Replace the window=60 to any number of your choice.

<your search>| timechart span=1m count AS cc | streamstats sum(cc) AS acc_roll_max window=60 | eval start = strftime (_time - 3600, "%Y-%m-%d %H:%M:%S") | eval stop = strftime(_time, "%Y-%m-%d %H:%M:%S") | sort - acc_roll_max | head 1 | fields - cc, _time

Hope this helps,

Kristian

Reply

miha
New Member
‎01-25-2012 01:38 PM

Thanks. Is there a way to do it not defined by the particular hour, but just by any 60 minute period?

Another example:

I have a weeks worth of data. I want to list all the IPs (value) that have the highest number of occurrences within a 60 or 120 minute period.

Thanks,

Thanks

0 Karma
Reply

southeringtonp
Motivator
‎01-25-2012 12:40 PM

Discrete hours (i.e., 1-2 pm), or on a sliding window? The former is easier than the latter.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...