Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

event count, per user, per hour

tmarlette
Motivator
‎06-05-2013 02:28 PM

So i'm attempting to count a specific event type, per user, per hour. I only want the tope ten users, and I thought the 'top' command would do it, but I'm hitting a snag. The top command doesn't output any data at all.
I'm looking for this data to output in a table format with the fields time,user,count.

I attempted to use the following search query:

host=< myhost > eventtype=< my event type > | timechart span=1h count by user useother=false

Thank you!!

Tags (2)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 06:47 AM

I think the issue is the output format of the table using time chart. If you manually bucket I think you will get a better result.

Try this:

host=< myhost > eventtype=< my event type > | bucket _time span=1h | stats count by _time,user | sort - count | head
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-06-2013 07:44 AM

Yeah you could do a subsearch and use that on the initial search. Something like below but you may need to play with it a bit.

host=< myhost > eventtype=< my event type > [ search host=< myhost > eventtype=< my event type > | top user | table user] | bucket _time span=1h | stats count by _time,user | sort - count | head

http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch

0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 07:40 AM

bucketing is exactly what I was looking for as far as the count for the time span! Thank you!

This gives the most recent offenders/instances, though I am looking for information on only the top ten offenders.

It's almost like I would need to run a search first to find the top ten offenders, then break out each user into a '_time" bucket and show their stats per hour individually? I'm guessing here 😃

0 Karma
Reply

kml_uvce
Builder
‎06-05-2013 09:50 PM

try this...

host=< myhost > eventtype=< my event type > | timechart span=1h limit=10 useother=f count by user

0 Karma
Reply

tmarlette
Motivator
‎06-06-2013 06:30 AM

Almost! The result set I get now is the ten (limit=10) most recent offenders.

I thought the 'top' command was the way to go, but I can't seem to get the search to roll it's results to the top command and have it output the data.

0 Karma
Reply

tmarlette
Motivator
‎06-05-2013 02:49 PM

It looks like I'm getting the latest 20 users, which are not the top offenders I am looking for.

0 Karma
Reply

Ayn
Legend
‎06-05-2013 02:43 PM

So, what was the result of the query you attempted?

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...