Splunk Search

Sort the query based on firstime and count

kteng2024
Path Finder

Hi,

Is there a way to sort the below query based on both firstime and total count . I want to know which sourcetypes having more counts based on the recent firstime.

| metadata type=sourcetypes | eval duration=now()-firstTime | where duration

0 Karma

woodcock
Esteemed Legend

This tells you sourcetypes which are new in the last week ( 7 days):

| metadata type=sourcetypes 
| eval firstAgoSeconds=now()-firstTime 
| where firstAgoSeconds < (7 * 24 * 60 * 60)
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(firstTime) ctime(lastTime) ctime(recentTime)
0 Karma

lguinn2
Legend

The metadata command is fine if you don't need a completely accurate count. If you are looking for the most active recent sourcetypes, I would probably do something like this:

| tstats count where index=* by sourcetype | sort -5 count

will give you the top 5 sourcetypes, based on the timerange you choose for the search. I find that tstats is more accurate when I am interested in a particular timerange, and it is still dramatically faster than a basic search for this purpose.

0 Karma

adonio
Ultra Champion
0 Karma

woodcock
Esteemed Legend

I need more detail to understand; maybe a sample mockup of final output, too.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...