index=INDEX_NAME | top limit=20 referer_domain categoryId
@rishabh4. You have mentioned three cases. To begin with you need three commands
Top 20 domain (Do not show percent, show count)
<YourBaseSearch> referer=* | top 20 referer_domain showperc=f showcount=t
Top 20 category (Do not show percent, show count)
<YourBaseSearch> categoryId=* | top 20 categoryId showperc=f showcount=t
PS: There might not be 20 Categories in tutorial data
Status code count
<YourBaseSearch> status=* | stats count as Count by status | sort - Count
For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.
There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.
PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.
@rishabh4 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
Listed below all required spl-query::
Case-1 : Total Number of Hits:
==============index=ds |stats count by clientip |stats sum(count) as TotalNumberof_Hits=======================
Note: Ensure to replace index name: ds with your own created or default-main
Explanation : Number of hits can be calculated by number of individual hits on server by each client
Case-2 : Top 20 category and Domain :
===================index=ds | top 20 categoryId showperc=f showcount=t |table categoryId |join [search index=ds | top 20 refererdomain showperc=f showcount=t |table refererdomain] ============================
Explanation: separately find domain and category and then use join to get single result with combination of both
Note: Find suitable fields to get desire result like domain and categoryId here
Case-3 : status code count :
=====================index=ds status=* |stats count as "Status code count"====================
Explanation : Gives count of all the status code like status 401-faliure, status 200-success ..
In addition i have attached Dashboard snapshot with all these cases-data as separate panel embedded in single dashboard.
Happy Splunking :>