...time | sitop 5 field1 by _time
What we notice is that there are two buckets created within a single day. One has a 12:00 AM value and the other has a 5:00 PM value. We just need all of the e...
...uery" is a defined field in my dns eventtype") such as:
sourcetype="dns" query_type="A" query!="some.domain.x" | sitop query limit="50"
At this point though, this has made my search quite long as t...
...t;"LOG">.{300})" | sitop limit=100 LOG (I had to quote "LOG" for the wiki text parser. the actual search contains no quotes around LOG)
start time: -6m end time: -1m (to account for the s...
...’ve looked at the loadjob command but that has a limit of 25,000 events.
I've looked at the sitop command but that limits the second search to just a top . As far as I know top is limited to a...
Hi,
I wonder whether someone may be able to help me please.
I have successfully created a 'Summary Index' report and a dashboard which displays the results.
The problem I have is that the d...
I have a top ten search fpor windows Errors that I run each day.
My bose want to to know how many days each of the top ten have been on the top ten list
The report should look like this:
Eve...
Hey everyone,
We currently have a query that tracks the top 100 users hitting our server in the past 24hrs. It looks something like this:
index=*ind* source=*src1.log sourcetype=serve type=INF...
...ttps://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usesummaryindexing , and I can't figure out which one to use to match my scenario. sichart sitimechart sistats, sitop, sirare
Hi there,
I am constructing a series of searches for a dashboard for annual audit. Because it is necessary to parse out the un-used portion of the maillog, is it possible to use a search first doe...