Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

rishabh4
New Member
‎03-21-2017 09:07 AM

How to find the number of hits and top 20 category and top 20 domain using the tutorial data on Splunk. Please help, I am new to Splunk. I also want to know the "status code count" of it so please help me fast.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 08:08 PM

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data. 

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

dibyanshu
New Member
‎08-31-2019 01:21 PM

Listed below all required spl-query::

Case-1 : Total Number of Hits:

==============index=ds |stats count by clientip |stats sum(count) as Total_Number_of_Hits=======================

Note: Ensure to replace index name: ds with your own created or default-main
Explanation : Number of hits can be calculated by number of individual hits on server by each client

Case-2 : Top 20 category and Domain :

===================index=ds | top 20 categoryId showperc=f showcount=t |table categoryId |join [search index=ds | top 20 referer_domain showperc=f showcount=t |table referer_domain] ============================

Explanation: separately find domain and category and then use join to get single result with combination of both
Note: Find suitable fields to get desire result like domain and categoryId here

Case-3 : status code count :

=====================index=ds status=* |stats count as "Status code count"====================

Explanation : Gives count of all the status code like status 401-faliure, status 200-success ..

In addition i have attached Dashboard snapshot with all these cases-data as separate panel embedded in single dashboard.

Happy Splunking :alt text>

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-22-2017 09:44 AM

@rishabh4 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 08:08 PM

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data. 

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-21-2017 09:44 AM

Try this

index=INDEX_NAME | top limit=20 referer_domain categoryId

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c; Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...