Splunk top 10

Splunk top 10 DEFAULT

Hi everyone

We're using Splunk in a SIEM environment and I have a search that returns all the bad event signatures with a count, sorted by the source department where the bad event signature was picked up.

Like this:

That is obviously a simplified view of what we have. We have 100's of signatures for bad events per department.

What I'm looking for is taking my results and limiting it to the top 10 signatures per department.

The moment I introduce the 'top' command to my search, I get skewed results. Logic dictates that what I want to do should be easy, but I'm struggling quite a bit.

This is the search I have at the moment (running it for the full previous month):

At the moment I get a lot more than 10 results per dept, but I suspect it's the by clause in the top command that messes it up. Also, I seem to get the correct results if I only do 'top 10 total by dept', but I need the signature in the final search result as well.

Then I have a secondary problem as well. The 'stats' command is obviously limited to 10000 events only, so the 'top' command will only return the top 10 signatures by dept based on those 10000 rows.

Logic then obviously dictates that I do my 'top' before my 'stats' command, but I just can't get it working.

What am I doing wrong?

Sours: https://community.splunk.com/t5/Splunk-Search/Limit-search-to-top-10-by-specific-fields/m-p/19688

top

Description

Finds the most common values for the fields in the field list. Calculates a count and a percentage of the frequency the values occur in the events. If the <by-clause> is included, the results are grouped by the field you specify in the <by-clause>.

Syntax

top [<N>] [<top-options>...] <field-list> [<by-clause>]

Required arguments

<field-list>
Syntax: <field>, <field>, ...
Description: Comma-delimited list of field names.

Optional arguments

<N>
Syntax: <int>
Description: The number of results to return.
Default: 10
<top-options>
Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | showcount=<bool> | showperc=<bool> | useother=<bool>
Description: Options for the command. See Top options.
<by-clause>
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Top options

countfield
Syntax: countfield=<string>
Description: For each value returned by the command, the results also return a count of the events that have that value. This argument specifies the name of the field that contains the count. The count is returned by default. If you do not want to return the count of events, specify .
Default: count
limit
Syntax: limit=<int>
Description: Specifies how many results to return. To return all values, specify zero ( 0 ). Specifying is the same as specifying .
Default: 10
otherstr
Syntax: otherstr=<string>
Description: If , a row representing all other values is added to the results. Use to specify the name of the label for the row.
Default: OTHER
percentfield
Syntax: percentfield=<string>
Description: For each value returned by the command, the results also return a percentage of the events that have that value. This argument specifies the name of the field that contains the percentage. The percentage is returned by default. If you do not want to return the percentage of events, specify .
Default: percent
showcount
Syntax: showcount=<bool>
Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
Default: true
showperc
Syntax: showperc=<bool>
Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Default: true
useother
Syntax: useother=<bool>
Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff.
Default: false

Usage

The command is a transforming command. See Command types.

Default fields

When you use the command, two fields are added to the results: and .

Field Description
The number of events in your search results that contain the field values that are returned by the top command. See the and arguments.
The percentage of events in your search results that contain the field values that are returned by the top command. See the and arguments.

Default maximum number of results

By default the command returns a maximum of 50,000 results. This maximum is controlled by the setting in the stanza in the limits.conf file. Increasing this limit can result in more memory usage.

Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the directory. The files in the directory must remain intact and in their original location. Make the changes in the directory.

See How to edit a configuration file.

If you have Splunk Cloud Platform, you need to file a Support ticket to change this limit.

Examples

Example 1: Return the 20 most common values for a field

This search returns the 20 most common values of the "referer" field. The results show the number of events (count) that have that a count of referer, and the percent that each referer is of the total number of events.

This screen image shows the results of the search. There are three columns in the results: referer, count, and percent.

Example 2: Return top values for one field organized by another field

This search returns the top "action" values for each "referer_domain".

Because a limit is not specified, this returns all the combinations of values for "action" and "referer_domain" as well as the counts and percentages:

This screen image shows the results of the search. The results display four columns: referer_domain, action, count, and percent.

Example 3: Returns the top product purchased for each category

This example uses the sample dataset from the Search Tutorial and a field lookup to add more information to the event data.
  • Download the data set from Add data tutorial and follow the instructions to load the tutorial data.
  • Download the CSV file from Use field lookups tutorial and follow the instructions to set up the lookup definition to add price and productName to the events.

After you configure the field lookup, you can run this search using the time range, All time.

This search returns the top product purchased for each category. Do not show the percent field. Rename the count field to "total".

This screen image shows the results of the search. The results shows three columns: categoryId, productName, and total.

See also

rare, sitop, stats

Sours: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Top
  1. Gw2 world linking
  2. Tri city health center fremont
  3. Vineyard vines flag belt
  4. 70 super bee

Splunk Search Command of the Week: TOP

I get it, SPL is a very wide language. With so many commands, arguments, functions, you name it. It’s a lot to learn and definitely a lot to remember. But what if I told you there were a couple of commands, that can almost do it all for you.

Let’s take a look at this search…

index=main| stats count as count by user | sort – count | head 10

A relatively easy search, for sure. But what if I could make it easier for you? Allow me to introduce the TOP, or Rare, Splunk Search Commands. TOP allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.

TOP Syntax

Now, we can explore the syntax for TOP Search Command.

|top <options> field <by-clause>

Here are the options:

  • Limit = limit the number of results
  • Showperc = show the activity percent field of the value

Field = filed you want to find the top values of

By-clause = a field you want to filter by

TOP Results

Now, let’s show the value in this search. Take the same search referenced above used with the new commands:

Index=main| top limit=10 user

And blam, same results, less… search.

Figure 1 - TOP Results

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Sours: https://kinneygroup.com/blog/splunk-search-command-of-the-week-top/
Basic Searching in Splunk

.

Top 10 splunk

.

Splunk in 60 Minutes - Splunk Tutorial For Beginners - Splunk Training - Splunk Tutorial - Edureka

.

You will also be interested:

.



4 5 6 7 8