Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Top 10 event counts per day

Volto
Path Finder
‎07-26-2012 01:47 PM

I have a search that gives me the event counts for each host every hour and compares that count against a running average of event counts for each host. When a host has a higher event count than the average for that hour it is marked as an outlier. I want to table the top 10 outliers based on the difference between the event count at that hour and the running average for each day.

So I'll have 10 hosts for Monday, Tuesday, Wednesday, etc. Is something like this possible? I have the difference already in my data set.

Thanks for the help.

Tags (2)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎12-29-2012 09:23 PM

example with an eval to calculate the difference, and sort the hosts



mysearchthatcalculatesall | stats max(event) AS current avg(average_number_of_events) AS average by host date_mday

| eval outlier_count=current-average | where outlier>0 

| sort -outlier  | head 10

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...