Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

event count, per user, per hour

tmarlette
Motivator
‎06-05-2013 02:28 PM

So i'm attempting to count a specific event type, per user, per hour. I only want the tope ten users, and I thought the 'top' command would do it, but I'm hitting a snag. The top command doesn't output any data at all.
I'm looking for this data to output in a table format with the fields time,user,count.

I attempted to use the following search query:

host=< myhost > eventtype=< my event type > | timechart span=1h count by user useother=false

Thank you!!

Tags (2)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 06:47 AM

I think the issue is the output format of the table using time chart. If you manually bucket I think you will get a better result.

Try this:

host=< myhost > eventtype=< my event type > | bucket _time span=1h | stats count by _time,user | sort - count | head
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 07:44 AM

Yeah you could do a subsearch and use that on the initial search. Something like below but you may need to play with it a bit.

host=< myhost > eventtype=< my event type > [ search host=< myhost > eventtype=< my event type > | top user | table user] | bucket _time span=1h | stats count by _time,user | sort - count | head

http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch

0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 07:40 AM

bucketing is exactly what I was looking for as far as the count for the time span! Thank you!

This gives the most recent offenders/instances, though I am looking for information on only the top ten offenders.

It's almost like I would need to run a search first to find the top ten offenders, then break out each user into a '_time" bucket and show their stats per hour individually? I'm guessing here 😃

0 Karma
Reply

kml_uvce
Builder
‎06-05-2013 09:50 PM

try this...

host=< myhost > eventtype=< my event type > | timechart span=1h limit=10 useother=f count by user

kamal singh bisht
0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 06:30 AM

Almost! The result set I get now is the ten (limit=10) most recent offenders.

I thought the 'top' command was the way to go, but I can't seem to get the search to roll it's results to the top command and have it output the data.

0 Karma
Reply

tmarlette
Motivator
‎06-05-2013 02:49 PM

It looks like I'm getting the latest 20 users, which are not the top offenders I am looking for.

0 Karma
Reply

Ayn
Legend
‎06-05-2013 02:43 PM

So, what was the result of the query you attempted?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...