How to return the 5 most repeat_count values per e...

harsush · ‎04-04-2018

Hi Team,

need your help

sourcetype=amc| search environment=* |top 5 showperc=f countfield="repeat_count" environment nodename

environment nodename    repeat_count
DR          Hostname1   636
Prod        Hostname2   117
Prod        Hostname3   108
Prod        Hostname4   102
Prod        Hostname5   87

who to get top 5 repeat_count host per environment [example show below]

environment nodename    repeat_count
DR          Hostname1   636
DR          Hostname12  637
DR          Hostname13  638
DR          Hostname14  639
DR          Hostname15  640
Prod        Hostname21  117
Prod        Hostname22  108
Prod        Hostname23  102
Prod        Hostname24  87
Prod        Hostname25  86

elliotproebstel · ‎04-04-2018

This should do what you're looking for:

sourcetype=amc environment=* 
| stats count AS repeat_count BY environment nodename 
| sort 0 - environment repeat_count 
| streamstats count AS top_count BY environment 
| where top_count<=5 
| fields environment nodename repeat_count

After generating the repeat_count value, it sorts all the values within each environment category by repeat_count. It then uses streamstats to generate a top_count value within each environment category. It filters out events with a top_count value greater than 5 (preserving only the top 5), and then organizes the fields as you displayed them.

harsush · ‎04-04-2018

repeat_count is a field which has count of number of alerts

How to return the 5 most repeat_count values per environment?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases