I got a challenging request from a customer regarding their access logs. They want to monitor access patterns across all the the access points in their network by user. Particularly, they are interested in stats for the top 10% of users for each access point. (10%- the top ten out of 100 users). I've managed to get most of the info that they want using pretty simple searches, but I'm still stumped on this one:
total number of logins for the top 10% of users by access point
I've tried some things using subsearches and the perc() function, but the search string gets too complicated or I end up doing something that Splunk doesn't like. Maybe I'm overthinking it.
Here's my latest failure(the appendcols and where commands cause the problems):
sourcetype="access_log" |stats count as EVNT by APNUM USERID |appendcols [search sourcetype="access_log" | stats count AS EVNTCNT by APNUM USERID | stats p90(EVNTCNT) as LIM by APIP| fields APIP LIM ] | eval USE=if(EVNT<LIM, "NO", "YES")| table APIP, EVNT, LIM, USE| stats sum(EVNT) by APIP| where USE=YES