Solved: How to search values from stats to output other st...

n00ber · ‎10-11-2019

Hi,

I'm new to Splunk and I'm trying to make the following search work:

Search:

| >= 50 document queries from the same user on Host x 
| within one minute 
| concerning 15 or more db records

Thanks in advance.

woodcock · ‎10-12-2019

Like this:

... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15

View solution in original post

woodcock · ‎10-12-2019

Like this:

... | streamstats time_window=1m count(searchmatch("query string here")) AS query_count dc(db_record_field_name_here) AS dc_db BY host
| where query_count >= 50 AND dc_db >= 15

gcusello · ‎10-11-2019

Hi n00ber,
I'm not sure to understand your need, do you want to search events for each user on host=x and count them every minute; I don't understand the second condition: concerning 15 or more db records.
Anyway, the part I understood should be solved by something like this:

your_search host=x
| timechart span=1m count BY user
| where count>49

In this way you have the users and the minutes where you have more than 49 events.

I'm waiting for more details about your need.

Bye.
Giuseppe

n00ber · ‎10-14-2019

Thanks @gcusello but this query was what I was doing before and not getting what I needed. @woodcock answer met needes!

How to search values from stats to output other stats

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...