Hi, I'm trying to create a search that would show the following data
Top unique field1 Top field2
E.g. (Username and command)
Get top unique Usernames and the corresponding top "command" executed by that "Username"
Username Command
user1 write
Hope someone can help, thanks.
It sounds like you want a list of the top command performed by each user. This will work:
... | top limit=1 command by user
Also, if you only wanted the top 10 users responsible for the top commands, do it like this:
... | top limit=1 command by user | head 10
I got accurate results if I use:
top limit=10 command,user
It sounds like you want a list of the top command performed by each user. This will work:
... | top limit=1 command by user
Also, if you only wanted the top 10 users responsible for the top commands, do it like this:
... | top limit=1 command by user | head 10
Ron,
I used your example but it seems that Splunk can only handle 6 digits precision using the top search command.
Ron,
Thanks for this. However, I guess I was not really clear with the inquiry. What I was looking for was a form search containing 2 input fields and matching those 2 fields and showing it as an event.
I came up with a form search XML (could not paste everything) and it would seem to be ok. Would appreciate more inputs for improvement, thanks.
You can change the "limit" option to include more top commands per user. You can also substitute "rare" for "top", if you wanted to find the least used.