Splunk Search

Splunk Search command

Mouseman123
Explorer

This would be a piece of cake for someone who uses SPLUNK.
I am  doing a search using the 'stats', çount' and sort commands in the botsv1 index.

I am to find the top ten URI's in ascending order. What is the SPL command? 

Labels (3)
Tags (2)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Note: botsv1 means absolutely nothing to most volunteers in this forum.  If there is something special about this dataset, you need to explain very clearly.  Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious.  Did your sample code give you desired result?

Based on your sample code, I speculate that so-called URI is in the field src_ip?  Why do you use list, not values?  What is the use of list of count?  What's wrong with this simpler formula?

 

index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10

 

Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result?  This is the best way to get help with data analytics.

i can speculate that you want to display individual count of domains by src_ip, too.  If so, designing a proper visual vocabulary is a lot better.  For example:

 

index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total

 

Just note that this is mathematically equivalent to your code.  So, you will need to illustrate the output and explain why that's not the desired result.

View solution in original post

Mouseman123
Explorer

Thanks for responding so quickly!!!

The SPL commands I have been trying is as follows:

index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|fields - total

The task i have been given is:
Use the stats, count, and sort search terms to display the top ten URI's in ascending order.
This is from the botsv1 dataset


0 Karma

yuanliu
SplunkTrust
SplunkTrust

Note: botsv1 means absolutely nothing to most volunteers in this forum.  If there is something special about this dataset, you need to explain very clearly.  Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious.  Did your sample code give you desired result?

Based on your sample code, I speculate that so-called URI is in the field src_ip?  Why do you use list, not values?  What is the use of list of count?  What's wrong with this simpler formula?

 

index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10

 

Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result?  This is the best way to get help with data analytics.

i can speculate that you want to display individual count of domains by src_ip, too.  If so, designing a proper visual vocabulary is a lot better.  For example:

 

index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total

 

Just note that this is mathematically equivalent to your code.  So, you will need to illustrate the output and explain why that's not the desired result.

yuanliu
SplunkTrust
SplunkTrust

Pro tip: Do not assume anyone knows anything about your data.

  1. Update the title to a question that clearly defines the problem.  This will help others in the community.  "Splunk search command" conveys no information.
  2. Always illustrate relevant data.  For example, which field contains URI?
  3. Be conscious that many natural language terms are ambiguous.  For example, "top ten URI's" can mean many different things.  What is your definition related to your data?

If the field URI contains URI, and "top ten" means the ten URI's that appear in the most events, this can be

| stats count by URI

I recommend that you read/watch some tutorials. Search Tutorial can be a good place to start.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...