Solved: Splunk Query to Generate an n-event sample across ...

JohnEGones · ‎07-21-2023

Hi people,

I wonder whether it is possible to run a query that generates a set of n-sample of events for each sourcetype in an index?

In some sense, if the log data has been ingested and conformed properly, this is perhaps not so problematic, you might build a datamodel or just query across the relevant CIM field (alias.)

So lets get specific:

index-someIndex sourcetype=someSourceType
| enumerate against some defined key value, say an eventtype
| enumerate all of the eventtypes and pull out any subeventtypes
| list the for 2-5 events for each subeventtype, else just list the 2-5 events for the the eventtype
| table _time, eventtype, subeventtype (NULL if blank), event

ITWhisperer · ‎07-21-2023

| fillnull value="NULL" subeventtype
| streamstats count by eventtype subeventtype
| where count < 6

View solution in original post

JohnEGones · ‎07-21-2023

@ITWhisperer

Thanks. I have not used streamstats much before.

I suppose there is not really a good way to generalize this; since simpler queries like this already assume your data is fairly well-parsed.

ITWhisperer · ‎07-21-2023

Correct, you need at least one field to do the stats by.

ITWhisperer · ‎07-21-2023

| fillnull value="NULL" subeventtype
| streamstats count by eventtype subeventtype
| where count < 6

Splunk Query to Generate an n-event sample across sourcetypes in an index

eval

other

stats

table

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio