Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Counting how often the mode() value occurs in a result set

moffitt
Engager
‎08-15-2013 08:45 AM

I want to query my access logs to learn where the majority of my traffic is coming from in 1 second buckets. This is my query.

sourcetype="access*" | timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(mode) as hits

I get good data results for ips and mode. The first is a list of ip addresses and the second is the most frequent value in that list. The problem with this query is that hits is always zero. Can anyone please tell me how I can count the number of times the mode value appears in the result set?

Reply

sideview
SplunkTrust
SplunkTrust
‎08-15-2013 11:38 AM

This should work and it is all in a single search pipeline (no subsearches).

sourcetype="access*" | bin _time span="1s" | eventstats mode(clientip) as modeClientip by _time | eval isModeValue=if(clientip=modeClientip,1,0) | timechart span=1s values(clientip) as ips, mode(clientip) as mode, sum(isModeValue) as hits

eventstats makes a pass through the entire incoming set, and paints a little "modeClientip" field on each row. the value of modeClientip will be the mode(clientip) within the given 1second time bucket. Then we make a little boolean field called isModeValue, then at the end timechart has a very easy job.

Note that the span of the bin command and the span of the timechart command have to match or confusing things might happen.

Reply

lguinn2
Legend
‎08-15-2013 06:21 PM

Nice - just couldn't think of that!

0 Karma
Reply

moffitt
Engager
‎08-15-2013 02:05 PM

This works very well. Thank you.

0 Karma
Reply

lguinn2
Legend
‎08-15-2013 10:38 AM

I don't think there is a way to do this in a simple search. The only way I can think of uses a subsearch.

sourcetype="access*" 
| eval modeValue = [ search sourcetype="access*"  |
   | timechart span=1s mode(clientip) as mode | return $mode ]
| timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(eval(clientip=modeValue)) as hits

This actually runs through the data twice. The subsearch returns the clientip value that is the most frequent value.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...