Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Generate report of top n search queries

staze
Path Finder
‎09-22-2010 09:54 PM

I'd like to generate a report of N top search queries from my apache weblogs.

Log entry for a search looks like:

123.456.789.000 - - [22/Sep/2010:13:58:18 -0700] "GET /search?SearchableText=Gateway HTTP/1.1" 200 5857 "http://www.example.com/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"

How would I go about doing this? I mean, I can do something like:

host="www" file="search" SearchableText="*" which returns the search terms in date/time order. But it would be nice to show them in frequency, etc, and return N number (where I can set N to 100, 1000, 10000, etc).

Frequency would probably also have to account for case. So, probably lc all the results, then tally them up.

Thanks!

0 Karma
Reply

staze
Path Finder
‎09-23-2010 05:24 PM

I believe I got it. I'm not sure why it wasn't rendering, but I managed to get it working...

host="www" file="search" SearchableText="*" | top limit=100 SearchableText

So yeah, this works.

0 Karma
Reply

staze
Path Finder
‎09-23-2010 05:23 PM

I think I got it.

host="www" file="search" SearchableText="*" | top limit=100 SearchableText

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-23-2010 12:29 AM

Field names in Splunk are case sensitive. Try: host="www" file="search" SearchableText="*" | top SearchableText

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-22-2010 10:53 PM

A report of top hosts for an error log might be:

index=stuff sourcetype=error_log | top host

If you manually manipulate stats:

index=stuff sourcetype=errors | stats count by host | sort -count | head 10

For your case, you need to extract a field called SearchableText. Once you extract it (via rex or interactive field extraction) you can report by it:

host=www source=<your log file> | rex "SearchableText=(?<SearchableText>.*[^ ]) HTTP" | top SearchableText

Make sure you limit your time range to test this out.

Reply

staze
Path Finder
‎09-22-2010 10:44 PM

So, I've just tried:

host="www" file="search" SearchableText="*" | top searchabletext

but it never seems to render the results (the results section just says "Waiting for Search Preview Results").

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...