Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search same index & source to get total of all & single value for top 10?

TerryM
Engager
‎03-19-2023 06:41 AM

Individually these searches work:

```#1 sum all values in field repeat_count in all threat logs that are M,H,C severity```

index=FW host=InternetFW sourcetype="fw:threat" severity IN (medium, high, critical) | stats sum(repeat_count) as TotalCount

```#2 sum all repeat_count vailues for the top 10 signatures ```

index=FW host=InternetFW sourcetype="fw:threat" severity IN (medium, high, critical) | stats sum(repeat_count) as Top_10_Threats_per_Day by signature
| sort 10 -Top_10_Threats_per_Day
| stats sum(Top_10_Threats_per_Day) as Top-10

Trying to get the 2 values into a timechart

|timechart span=1d values(TotalCount) as " Total" , values(Top-10) as "Total of top 10" 

Tried subsearch {search 1[search 2|fields Top-10]}, Tried multsearch.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-20-2023 12:57 AM 
| bin _time span=1d 
| stats sum(repeat_count) as Top_10_Threats_per_Day by _time signature
| sort 0 _time -Top_10_Threats_per_Day
| eventstats sum(Top_10_Threats_per_Day) as TotalCount by _time
| streamstats count by _time
| where count <= 10
| timechart values(TotalCount) as TotalCount sum(Top_10_Threats_per_Day) as Top_10_Threats_per_Day

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2023 10:14 AM

You mention time yet it doesn't appear in your searches

Do you want the top 10 overall and the counts for only those 10 for each day, or the top 10 for each day, which could be different from day to day.

If it is the latter, try something like this

| bin _time span=1d 
| stats sum(repeat_count) as Top_10_Threats_per_Day by _time signature
| sort 0 _time -Top_10_Threats_per_Day
| eventstats sum(Top_10_Threats_per_Day) as TotalCount by _time
| streamstats count by _time
| where count <= 10
0 Karma
Reply
Solved! Jump to solution

TerryM
Engager
‎03-19-2023 12:12 PM

time: earliest  5 days ago, latest Beginning of today.

Total of all threats for each day and a single total of the top 10 for each day like this:

Total              Top 10

8000              2500

2000                250

1567              534

etc

then get it into a timechart.

I can get the Total per day from search #1.

 

0 Karma
Reply
Solved! Jump to solution

TerryM
Engager
‎03-19-2023 12:40 PM

TerryM_1-1679254762462.png

 

index =FW host=InternetFW sourcetype="FW:threat" severity IN (medium, high, critical) 
| timechart span=1d sum(repeat_count) as "Total"
| appendcols
[search index =FW host=InternetFW sourcetype="FW:threat" severity IN (medium, high, critical) 
| timechart span=1d sum(repeat_count) as "Top 10" by signature WHERE MAX in top10]

Totals per day works, just need a single Total for the sum of the top 10 events for everything else per day.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-20-2023 12:57 AM 
| bin _time span=1d 
| stats sum(repeat_count) as Top_10_Threats_per_Day by _time signature
| sort 0 _time -Top_10_Threats_per_Day
| eventstats sum(Top_10_Threats_per_Day) as TotalCount by _time
| streamstats count by _time
| where count <= 10
| timechart values(TotalCount) as TotalCount sum(Top_10_Threats_per_Day) as Top_10_Threats_per_Day
0 Karma
Reply
Solved! Jump to solution

TerryM
Engager
‎03-20-2023 07:45 AM

Thanks for the replies. This seems to have got what I was looking for. for the numbers that are the same for Total and Top 10, there were only a few Threats  those days. Now I just need to decipher how you did it. Did I mention I'm very new to Splunk :). 

TerryM_0-1679323359024.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...