- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Note: botsv1 means absolutely nothing to most volunteers in this forum. If there is something special about this dataset, you need to explain very clearly. Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious. Did your sample code give you desired result?
Based on your sample code, I speculate that so-called URI is in the field src_ip? Why do you use list, not values? What is the use of list of count? What's wrong with this simpler formula?
index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10
Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result? This is the best way to get help with data analytics.
i can speculate that you want to display individual count of domains by src_ip, too. If so, designing a proper visual vocabulary is a lot better. For example:
index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total
Just note that this is mathematically equivalent to your code. So, you will need to illustrate the output and explain why that's not the desired result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding so quickly!!!
The SPL commands I have been trying is as follows:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|fields - total
The task i have been given is:
Use the stats, count, and sort search terms to display the top ten URI's in ascending order.
This is from the botsv1 dataset
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Note: botsv1 means absolutely nothing to most volunteers in this forum. If there is something special about this dataset, you need to explain very clearly. Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious. Did your sample code give you desired result?
Based on your sample code, I speculate that so-called URI is in the field src_ip? Why do you use list, not values? What is the use of list of count? What's wrong with this simpler formula?
index=indexname
|stats values(domain) as Domain count as total by src_ip
| sort -total | head 10
Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result? This is the best way to get help with data analytics.
i can speculate that you want to display individual count of domains by src_ip, too. If so, designing a proper visual vocabulary is a lot better. For example:
index=indexname
|stats count by domain,src_ip
| sort - count
|stats list(count . " (" . domain . ")") as DomainCount, sum(count) as total by src_ip
|sort - total DomainCount | head 10
|fields - total
Just note that this is mathematically equivalent to your code. So, you will need to illustrate the output and explain why that's not the desired result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Pro tip: Do not assume anyone knows anything about your data.
- Update the title to a question that clearly defines the problem. This will help others in the community. "Splunk search command" conveys no information.
- Always illustrate relevant data. For example, which field contains URI?
- Be conscious that many natural language terms are ambiguous. For example, "top ten URI's" can mean many different things. What is your definition related to your data?
If the field URI contains URI, and "top ten" means the ten URI's that appear in the most events, this can be
| stats count by URI
I recommend that you read/watch some tutorials. Search Tutorial can be a good place to start.
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""