I got a challenging request from a customer regarding their access logs. They want to monitor access patterns across all the the access points in their network by user. Particularly, they are interested in stats for the top 10% of users for each access point. (10%- the top ten out of 100 users). I've managed to get most of the info that they want using pretty simple searches, but I'm still stumped on this one:
total number of logins for the top 10% of users by access point
I've tried some things using subsearches and the perc() function, but the search string gets too complicated or I end up doing something that Splunk doesn't like. Maybe I'm overthinking it.
Here's my latest failure(the appendcols and where commands cause the problems):
answered 17 Feb '11, 06:03