Good morning Splunkers,
I'm working on the search detailed below.
By using two subsearches I'm trying to identify top 5 MY_GROUP's members and also top 5 hosts, both of them evaluated by counted LOGINS.
I would like to chart results in a "column table" . I'm using those two subsearches because all of members of MY_GROUP often visits more that 20 hosts and this impact on the density of informations presented in the final chart.
Does anybody know a way to make that code simpler and more efficient?
Thanks all in advance.
p.s. whether I run that search using a startmonthsago=6 instead of last 6 days (I know, it could be smarter to use a summary index, but i need it sporadically)...results are strange: as the two subsearches exit with some partial results. Is that possible in your opinion?
This is the search:
([search tag=LOGIN startdaysago=7 tag="MY_GROUP" | stats count by User_Name |stats sum(count) as Total by User_Name | sort -Total | top limit=5 User_Name |fields User_Name] [ search tag=LOGIN startdaysago=6 tag="MY_GROUP" | stats count by host |stats sum(count) as Total by host | sort -Total| top limit=5 host |fields host]) | chart count(host) by User_Name,host"
Thanks gkanapathy for your support.
What I need is a chart where I get over the X-axis the TOP 5 user for logins realized in the last 6 days; on the Y-axis just count of logins. For each of those TOP 5 users, grouped by their name, I wanna show only those of the top 5 server each user has visited in the rangetime.
Thanks...
Ciao
nik
...i just finished to try, and results arent those Im searching for.
Let say
Ausr,Busr,Cusr,Dusr, Eusr, Fusr, Gusr are member of MY_GROUP
TOP 5 user by their login during last 6 days are :
Ausr,Busr,Cusr,Dusr, Gusr.
1srv, 2srv, 3srv, 4srv, 5srv, 6srv, 7srv, ... 20srv... 50srv...2000srv are servers into my network (and consider each of users access 10-15 servers every week)
TOP 5 server by counted login during last 6 days are :
1srv, 2srv, 3srv, 4srv, 7srv,
What I need is a chart where the output is:
EXAMPLE.
for those top5 users
Ausr = 1srv, 3srv, 4srv, 7srv,
Busr = 1srv, 2srv, 3srv, 7srv,
Cusr = 1srv, 2srv, 3srv
Dusr = 4srv, 7srv
Gusr = 1srv, 3srv, 7srv
If I use tag=LOGIN tag="MY_GROUP" | stats count by User_Name host
I will get splitted rows... so I cannot control TOP5 users
If I use
**tag=LOGIN tag="MY_GROUP" | chart count over User_Name by host | **
again I loose the control of the output...because all the results come out.
...
Tks again....
... View more