Splunk Search

Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

rishabh4
New Member

How to find the number of hits and top 20 category and top 20 domain using the tutorial data on Splunk. Please help, I am new to Splunk. I also want to know the "status code count" of it so please help me fast.

0 Karma
1 Solution

niketn
Legend

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

dibyanshu
New Member

Listed below all required spl-query::

Case-1 : Total Number of Hits:

==============index=ds |stats count by clientip |stats sum(count) as Total_Number_of_Hits=======================

Note: Ensure to replace index name: ds with your own created or default-main
Explanation : Number of hits can be calculated by number of individual hits on server by each client

Case-2 : Top 20 category and Domain :

===================index=ds | top 20 categoryId showperc=f showcount=t |table categoryId |join [search index=ds | top 20 referer_domain showperc=f showcount=t |table referer_domain] ============================

Explanation: separately find domain and category and then use join to get single result with combination of both
Note: Find suitable fields to get desire result like domain and categoryId here

Case-3 : status code count :

=====================index=ds status=* |stats count as "Status code count"====================

Explanation : Gives count of all the status code like status 401-faliure, status 200-success ..

In addition i have attached Dashboard snapshot with all these cases-data as separate panel embedded in single dashboard.

Happy Splunking :alt text>

alt text

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@rishabh4 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

niketn
Legend

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

Try this

index=INDEX_NAME | top limit=20 referer_domain categoryId

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...