I have my search as below index=xyz source=yhg | convert ctime(_time) as Date_and_Time|convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time) as time |eventstats range(time) as duration by student_id| stats avg(duration) as avgDurationPer_student_id by sudent_id | eval Total_time_spent(out_of_collage)=tostring(ceil(avgDurationPer_student_id), "duration") | table student_id Total_time_spent(out_of_collage) The above search displays the result of the total time spent on the website by each student_id as below student_id Total_time_spent(out_of_collage) X123345 19:39:35 H900639 20:05:58 D900643 17:47:40 V106127 00:00:00 Now how can I modify above search and display the above table only for only top 5 student_id's instead of listing out all the student_id's based on the Total_time_spent(out_of_collage) which is hours:minutes:seconds format ... View more

I have my splunk search as below My Search | where date_hour>=16 OR date_hour<9| convert ctime(_time) as Date_and_Time |eval StartHour=strftime(_time,"%H")|eval EndHour=strftime(_time,"%H") |stats earliest(StartHour) as StartHour latest(EndHour) as EndHour by student_id which displays the result as below student_id StartHour EndHour X1234 00 19 Y6789 00 20 V5678 02 20 G4567 06 06 Now I'm trying to acheive something like below student_id StartHour EndHour starthour_and_endhour_yesterday average(starthour_and_endhour)_for_last_7_days standard_deviation X1234 00 19 00-18 00-03 Y6789 00 20 01-19 02-19 V5678 02 20 02-19 03-19 G4567 06 06 06-06 06-06 Where standard_deviation is if student_id accessing starthour_and_endhour is 3 times standard deviation of average Now how can i calculate all the fields as mentioned above. Is it possible to acheive by splunk to find the suspecious behaviour of a student_id as mentioned on the above format? ... View more

I have a search which displays the average_time_spent in the format "hh:mm:ss" my search | eval field_in_hhmmss=tostring(avgDurationPerpid, "duration") | table id field_in_hhmmss which displays as below id field_in_hhmmss 23 01:58:36.344000 Now how can i round up the seconds part in an understandable way like instead of 01:58:36.344000 it should display as 01:58:37? ... View more

I have a search as follows which displays the total number of students who accessing college website outside of college hours. My Search | where date_hour>=16 OR date_hour<9 | convert ctime(_time) as Date_and_Time | stats dc(student_id) as Total Now I'm trying to determine the range/average of out of college accessing times per each student from the above search result? I'm trying to get the result as below student_id Average_accessing_time_range A1111 18:00 - 20:00 B3211 00:00 - 2:00 Will it be possible to get the result like above by using the Splunk? ... View more

Hi I have a Splunk search as below : My Search| where date_hour>=19 OR date_hour<7| bin span=1h _time | convert ctime(_time) as Date_and_Time | stats values(page) as page_accessed by user_id| sort-count | head 5 |rename user_id AS Student_id | Which displays the result as follows : Student_id page_accessed A1234 HomePage SemesterReport B5678 HomePage Course_Structure Syllabus A5678 Attendance HomePage B1234 CourseStructure So, now I want to display only the Student_id's who are visiting pages outside of what they regularly access, is it possible to identify that in Splunk? For example, consider Student id "A1234": Daily he used to access the HomePage, SemesterReport but yesterday he is accessing the CourseStructure Page. I want to see his student-id and what he visited other than what he regularly visited as next the panel. ... View more

I'd extracted 2 fields in props.conf as below: [abc_xml_v1] EXTRACT-abc_rac_cd_instance = ^/(cs|app)/abc/.*/adump/(?[^o][^_]+) in source EXTRACT-abc_single_cd_instance = ^/(cs|app)/abc/(?[^/]+)/.*/adump/o in source Which means I'd extracted two fields in a source with the same field name "cd_instance". In such cases, which extraction will Splunk consider for the field "cd_instance" ? Any idea? ... View more

I have a search as follows: index="x" search_name="`Y`" (status=Z) | `A` |`B` where A and B are macros Now how can I see the complete search by expanding all the Y, A, and B? Also, if the macros (A and B) contain some internal macros and also some internal tags, how can I expand them all and see the complete search? ... View more

Considering a field "user_name". What could be the search to find the anomalies per hour for each user_name in a day? ... View more

How to Compute the mean activity volume per user in each hour yesterday, and find the ones more than n standard deviations above the mean? Note: Considering user as a field Any ideas about writing a search which satisfies the above condition? ... View more

I have the below search_1 My search |top 5 users I have a second search as below My search |stats values(field_1) as field_1 values(field_2) as field_2 by users Now how can I combine these two searches and display a result in tabular chart which contains field_1 and field_2 values of the top 5 users only? ... View more

For the below search My search | timechart span=1h limit=0 count by student Is it possible to list out the anomalous for each student? Thanks in advance! ... View more

I have a search as follows :- My search | timechart span=1h limit=0 count by city Now how can I calculate the mean activity volume per city? And how to find the one's more than n standard deviations above the mean? ... View more

I have a search as follows: My search | timechart span=1h limit=0 count by users Which displays a line graph for the past 7 days. Now I'm looking to modify the search to display only the top 5 users (based on the event count) in a pie chart. How can I modify my search to get the result like that? ... View more

I have a search as follows My search | bin span=1h _time | stats values(field_1) as Field_1 by _time Field_2 Which displays the result as follows _time Field_2 Field_1 123 jkl gsad Now I want my search to modify the result to add a field which displays the total event count of Field_1(Field_1_count) next to it like below. How can i do that? _time Field_2 Field_1 Field_1_count 123 jkl gsad 23 ... View more

I have a timechart which displays the results for the past 7 days. But now i don't want the Splunk to display the results for 24 hours of the each day in last 7 days. Instead of that, I just want to display the timechart from evening 7'o clock to morning 7'o clock for the last 7 days. Is this scenario possible in Splunk? If yes, how can we do that? ... View more

I have a search as follows in which I am trying to display 2 fields (My Search) | timechart span=1h count by field_username which displays the result as follows _time user_a user_b user_c user_d ---------------------------------- I don't want like this. All I am looking is as follows _time users_list_of_that_particullar_hour count_of_that_hour ... View more

I have a search as follows field="abc"| eval b=len(_raw) | timechart span=1h sum(b) as b | eval mb=round(b/1024/1024,2) | eval gb=round(b/1024/1024/1024,2) | eventstats avg(gb) as Avg Which displays the result as follows Now I want to modify my search to see a time chart which displays the average gb for each host per hour. Is there any way to modify my search to display like that? ... View more

I have a search as follows field_id="X" | eval b=len(_raw) | stats sum(b) as b | eval gb=round(b/1024/1024/1024,2) | eventstats avg(gb) as Avg Which displays the average gb per each day for that particular search. Now, how can I make to display average of each host for that particular search in a timechart? ... View more

Does anyone have seen this error while trying to forward some data to the indexer. Source of the error :- var/log/authlog xyz12345 adclient[1234]: WARN abc.loader Skipping right with id 87654321 due to parse error: basic_string::substr ... View more