Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

event count, per user, per hour

tmarlette
Motivator
‎06-05-2013 02:28 PM

So i'm attempting to count a specific event type, per user, per hour. I only want the tope ten users, and I thought the 'top' command would do it, but I'm hitting a snag. The top command doesn't output any data at all.
I'm looking for this data to output in a table format with the fields time,user,count.

I attempted to use the following search query:

host=< myhost > eventtype=< my event type > | timechart span=1h count by user useother=false

Thank you!!

Tags (2)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 06:47 AM

I think the issue is the output format of the table using time chart. If you manually bucket I think you will get a better result.

Try this:

host=< myhost > eventtype=< my event type > | bucket _time span=1h | stats count by _time,user | sort - count | head
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 07:44 AM

Yeah you could do a subsearch and use that on the initial search. Something like below but you may need to play with it a bit.

host=< myhost > eventtype=< my event type > [ search host=< myhost > eventtype=< my event type > | top user | table user] | bucket _time span=1h | stats count by _time,user | sort - count | head

http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch

0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 07:40 AM

bucketing is exactly what I was looking for as far as the count for the time span! Thank you!

This gives the most recent offenders/instances, though I am looking for information on only the top ten offenders.

It's almost like I would need to run a search first to find the top ten offenders, then break out each user into a '_time" bucket and show their stats per hour individually? I'm guessing here 😃

0 Karma
Reply

kml_uvce
Builder
‎06-05-2013 09:50 PM

try this...

host=< myhost > eventtype=< my event type > | timechart span=1h limit=10 useother=f count by user

0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 06:30 AM

Almost! The result set I get now is the ten (limit=10) most recent offenders.

I thought the 'top' command was the way to go, but I can't seem to get the search to roll it's results to the top command and have it output the data.

0 Karma
Reply

tmarlette
Motivator
‎06-05-2013 02:49 PM

It looks like I'm getting the latest 20 users, which are not the top offenders I am looking for.

0 Karma
Reply

Ayn
Legend
‎06-05-2013 02:43 PM

So, what was the result of the query you attempted?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...