Hi-
I have this search query:
"source="/prod/splunkforwarder/bin/scripts/jrexpiry.sh" npw.gov.se"
and my time frame is from April 1- April 30. The result it gets is 5,540 events. What I want is to just limit the results to 10 events per day in 1 month that is, on April 1st,it should only give 10 events, in Apr 2nd 10 events,in Apr 3rd 10 events and so on. How can I do this?Please advise. Cheers! Isaias
Try adding "| streamstats count by date_mday | where count <= 10" to your search. For example:
source="/prod/splunkforwarder/bin/scripts/jrexpiry.sh" npw.gov.se | streamstats count by date_mday | where count <= 10