Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search command

Mouseman123
Explorer
‎11-03-2023 12:37 AM

This would be a piece of cake for someone who uses SPLUNK.
I am  doing a search using the 'stats', çount' and sort commands in the botsv1 index.

I am to find the top ten URI's in ascending order. What is the SPL command? 

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-04-2023 03:39 AM

Note: botsv1 means absolutely nothing to most volunteers in this forum.  If there is something special about this dataset, you need to explain very clearly.  Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious.  Did your sample code give you desired result?

Based on your sample code, I speculate that so-called URI is in the field src_ip?  Why do you use list, not values?  What is the use of list of count?  What's wrong with this simpler formula?

 

index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10

 

Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result?  This is the best way to get help with data analytics.

i can speculate that you want to display individual count of domains by src_ip, too.  If so, designing a proper visual vocabulary is a lot better.  For example:

 

index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total

 

Just note that this is mathematically equivalent to your code.  So, you will need to illustrate the output and explain why that's not the desired result.

View solution in original post

Reply
Solved! Jump to solution

Mouseman123
Explorer
‎11-03-2023 03:52 AM

Thanks for responding so quickly!!!

The SPL commands I have been trying is as follows:

index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|fields - total

The task i have been given is:
Use the stats, count, and sort search terms to display the top ten URI's in ascending order.
This is from the botsv1 dataset


0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-04-2023 03:39 AM

Note: botsv1 means absolutely nothing to most volunteers in this forum.  If there is something special about this dataset, you need to explain very clearly.  Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious.  Did your sample code give you desired result?

Based on your sample code, I speculate that so-called URI is in the field src_ip?  Why do you use list, not values?  What is the use of list of count?  What's wrong with this simpler formula?

 

index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10

 

Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result?  This is the best way to get help with data analytics.

i can speculate that you want to display individual count of domains by src_ip, too.  If so, designing a proper visual vocabulary is a lot better.  For example:

 

index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total

 

Just note that this is mathematically equivalent to your code.  So, you will need to illustrate the output and explain why that's not the desired result.

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-03-2023 02:34 AM

Pro tip: Do not assume anyone knows anything about your data.

  1. Update the title to a question that clearly defines the problem.  This will help others in the community.  "Splunk search command" conveys no information.
  2. Always illustrate relevant data.  For example, which field contains URI?
  3. Be conscious that many natural language terms are ambiguous.  For example, "top ten URI's" can mean many different things.  What is your definition related to your data?

If the field URI contains URI, and "top ten" means the ten URI's that appear in the most events, this can be

| stats count by URI

I recommend that you read/watch some tutorials. Search Tutorial can be a good place to start.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...