We're using Splunk in a SIEM environment and I have a search that returns all the bad event signatures with a count, sorted by the source department where the bad event signature was picked up.
That is obviously a simplified view of what we have. We have 100's of signatures for bad events per department.
What I'm looking for is taking my results and limiting it to the top 10 signatures per department.
The moment I introduce the 'top' command to my search, I get skewed results. Logic dictates that what I want to do should be easy, but I'm struggling quite a bit.
This is the search I have at the moment (running it for the full previous month):
At the moment I get a lot more than 10 results per dept, but I suspect it's the by clause in the top command that messes it up. Also, I seem to get the correct results if I only do 'top 10 total by dept', but I need the signature in the final search result as well.
Then I have a secondary problem as well. The 'stats' command is obviously limited to 10000 events only, so the 'top' command will only return the top 10 signatures by dept based on those 10000 rows.
Logic then obviously dictates that I do my 'top' before my 'stats' command, but I just can't get it working.
What am I doing wrong?
Finds the most common values for the fields in the field list. Calculates a count and a percentage of the frequency the values occur in the events. If the <by-clause> is included, the results are grouped by the field you specify in the <by-clause>.
top [<N>] [<top-options>...] <field-list> [<by-clause>]
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of field names.
- Syntax: <int>
- Description: The number of results to return.
- Default: 10
- Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | showcount=<bool> | showperc=<bool> | useother=<bool>
- Description: Options for the command. See Top options.
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- Syntax: countfield=<string>
- Description: For each value returned by the command, the results also return a count of the events that have that value. This argument specifies the name of the field that contains the count. The count is returned by default. If you do not want to return the count of events, specify .
- Default: count
- Syntax: limit=<int>
- Description: Specifies how many results to return. To return all values, specify zero ( 0 ). Specifying is the same as specifying .
- Default: 10
- Syntax: otherstr=<string>
- Description: If , a row representing all other values is added to the results. Use to specify the name of the label for the row.
- Default: OTHER
- Syntax: percentfield=<string>
- Description: For each value returned by the command, the results also return a percentage of the events that have that value. This argument specifies the name of the field that contains the percentage. The percentage is returned by default. If you do not want to return the percentage of events, specify .
- Default: percent
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- Syntax: showperc=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
- Syntax: useother=<bool>
- Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff.
- Default: false
The command is a transforming command. See Command types.
When you use the command, two fields are added to the results: and .
|The number of events in your search results that contain the field values that are returned by the top command. See the and arguments.|
|The percentage of events in your search results that contain the field values that are returned by the top command. See the and arguments.|
Default maximum number of results
By default the command returns a maximum of 50,000 results. This maximum is controlled by the setting in the stanza in the limits.conf file. Increasing this limit can result in more memory usage.
Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the directory. The files in the directory must remain intact and in their original location. Make the changes in the directory.
See How to edit a configuration file.
If you have Splunk Cloud Platform, you need to file a Support ticket to change this limit.
Example 1: Return the 20 most common values for a field
This search returns the 20 most common values of the "referer" field. The results show the number of events (count) that have that a count of referer, and the percent that each referer is of the total number of events.
Example 2: Return top values for one field organized by another field
This search returns the top "action" values for each "referer_domain".
Because a limit is not specified, this returns all the combinations of values for "action" and "referer_domain" as well as the counts and percentages:
Example 3: Returns the top product purchased for each category
|This example uses the sample dataset from the Search Tutorial and a field lookup to add more information to the event data. |
After you configure the field lookup, you can run this search using the time range, All time.
This search returns the top product purchased for each category. Do not show the percent field. Rename the count field to "total".
rare, sitop, stats
Splunk Search Command of the Week: TOP
I get it, SPL is a very wide language. With so many commands, arguments, functions, you name it. It’s a lot to learn and definitely a lot to remember. But what if I told you there were a couple of commands, that can almost do it all for you.
Let’s take a look at this search…index=main| stats count as count by user | sort – count | head 10
A relatively easy search, for sure. But what if I could make it easier for you? Allow me to introduce the TOP, or Rare, Splunk Search Commands. TOP allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.
Now, we can explore the syntax for TOP Search Command.|top <options> field <by-clause>
Here are the options:
- Limit = limit the number of results
- Showperc = show the activity percent field of the value
Field = filed you want to find the top values of
By-clause = a field you want to filter by
Now, let’s show the value in this search. Take the same search referenced above used with the new commands:Index=main| top limit=10 user
And blam, same results, less… search.
Ask the Experts
Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!
Top 10 splunk
.Splunk in 60 Minutes - Splunk Tutorial For Beginners - Splunk Training - Splunk Tutorial - Edureka
You will also be interested:
- Wild dog survival simulator
- Oracle between timestamp
- Folding marine table
- Craigslist mn brainerd
- Class shirt designs
- Shiny cosmog
- Labview rt
- Shambhala lineup 2017
- Lense warframe
- Ac motor 2hp
- Zillow boca west country club
- Cz 125 motorcycle