Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Top 5 events for every month

emamedov
Explorer
‎06-28-2016 09:33 AM

I'm currently using the following log statement:

Jun-28 12:00:28 | INFO| [Controller:116] Downloading file content: fileName:  [Way Too Easy.pdf]

The intent is to generate a result that lists the top 5 downloads for every month and the percentage of downloads compared to every other event in that month. It would look something along the lines of:

alt text

Using the the following search string gets me close to it, but not quite.

eventtype="document-downloads" | eval Month=strftime(_time,"%m/%Y") | top limit=5 fileName by Month
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-28-2016 10:54 AM

See if the following gets you what you need:

 eventtype="document-downloads" | top limit=5 fileName by date_month | eventstats sum(count) as sum by date_month | eval percent=count/sum | table date_month fileName count percent

I tested this trying to do the same thing you did, except with the top 5 Windows Event Logs for given months. See the following search. 

index=wineventlog| top limit=5 EventCode by date_month | eventstats sum(count) as sum by date_month | eval percent=count/sum | table date_month EventCode count percent

View solution in original post

Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-28-2016 10:54 AM

See if the following gets you what you need:

 eventtype="document-downloads" | top limit=5 fileName by date_month | eventstats sum(count) as sum by date_month | eval percent=count/sum | table date_month fileName count percent

I tested this trying to do the same thing you did, except with the top 5 Windows Event Logs for given months. See the following search. 

index=wineventlog| top limit=5 EventCode by date_month | eventstats sum(count) as sum by date_month | eval percent=count/sum | table date_month EventCode count percent
Reply
Solved! Jump to solution

emamedov
Explorer
‎06-28-2016 11:26 AM

It was close, this is what I ended up with:

eventtype="document-downloads" | eval Month=strftime(_time,"%m/%Y") 
| top limit=10 fileName by Month 
| stats list(*) as * by Month 
| table Month fileName count percent
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...