Splunk Search

How do I get the 5 most active hosts that created a new folder in the last 7 days?

splunkman341
Communicator

Hey guys,

I am trying to create a custom search which the question directly states. How would I go about doing that? I tried running this :

 sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"|top limit=5 host | timechart span=1d count 

Which is saying to look at that specific sourcetype, with the FolderLogging Action and looking for any new creations of OOID folder for the 5 most active hosts and filter it into a chart which displays it weekly. Can anyone guide me in the right direction?

Thanks for your help

Tags (1)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

I think this is what you are looking for?

sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"
| timechart span=7d limit=5 count by host

View solution in original post

splunkman341
Communicator

Thanks for your anwser !!! Only one thing though, it is only displaying for one host and I noticed there are two hosts that are active. Do you know how to go about displaying both hosts in the chart?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Make sure that your initial search is including both hosts.

For example, run the search
sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"

And go to the hosts field to make sure there are two hosts. If there are, timechart should create a new line for each host in that time range. If you still don't see the second host, make sure that the values are not zero. Are they coming up in the legend for the timechart?

0 Karma

splunkman341
Communicator

I switched the visualization view and both hosts are coming up on different graphs/charts but for some reason on a pie chart it only displays one host?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Hmm. At that point, screenshots will. I'm not sure without seeing what you are talking about.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

I think this is what you are looking for?

sourcetype=doccloud_catalina FolderLoggingAction "new OOID Folder"
| timechart span=7d limit=5 count by host
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...