Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

list "top" command question

dikaye
Path Finder
‎02-15-2011 06:35 AM

Hi, My mail server logs display recipient info like that: 

Feb 14 16:04:25 224.67.24.175 Feb 14 16:04:25 mail_logs: Info: MID 1563086 ICID 1105367 RID 0 To: <user.1@abc.com>

How can I list the top 10 recipients by search command?

Thanks.

Tags (1)
0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 08:42 AM

You need to remove the : from To in your search.

Also... If you haven't trained Splunk to recognize your To field, you'll want to run the IFX wizard to extract the field. Here's a link on how to do this:

http://www.splunk.com/base/Documentation/4.1.7/User/InteractiveFieldExtractionExample

Reply

dikaye
Path Finder
‎02-15-2011 07:33 AM

I create it as the savedsearches.conf like that:

[Top recipients - pie chart]
action.email.sendresults = 0
dispatch.ttl = 3600
displayview = report_builder_display
relation = None
request.ui_dispatch_view = report_builder_display
search = index=all_test host=224.67.24.175 | top To: limit=10
vsid = *:fwkfzepj

But, when I run this saved search, it has not thing display.

Why?

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 06:39 AM

Assuming you have your fields extracted properly:

... | top limit=10 To
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...