Splunk Search

Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

rishabh4
New Member

How to find the number of hits and top 20 category and top 20 domain using the tutorial data on Splunk. Please help, I am new to Splunk. I also want to know the "status code count" of it so please help me fast.

0 Karma
1 Solution

niketn
Legend

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

dibyanshu
New Member

Listed below all required spl-query::

Case-1 : Total Number of Hits:

==============index=ds |stats count by clientip |stats sum(count) as Total_Number_of_Hits=======================

Note: Ensure to replace index name: ds with your own created or default-main
Explanation : Number of hits can be calculated by number of individual hits on server by each client

Case-2 : Top 20 category and Domain :

===================index=ds | top 20 categoryId showperc=f showcount=t |table categoryId |join [search index=ds | top 20 referer_domain showperc=f showcount=t |table referer_domain] ============================

Explanation: separately find domain and category and then use join to get single result with combination of both
Note: Find suitable fields to get desire result like domain and categoryId here

Case-3 : status code count :

=====================index=ds status=* |stats count as "Status code count"====================

Explanation : Gives count of all the status code like status 401-faliure, status 200-success ..

In addition i have attached Dashboard snapshot with all these cases-data as separate panel embedded in single dashboard.

Happy Splunking :alt text>

alt text

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@rishabh4 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

niketn
Legend

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

Try this

index=INDEX_NAME | top limit=20 referer_domain categoryId

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...