| index=yourindexes sourcetype=access_combined uri_path=/login | |
| | eval _time=relative_time(_time,"@m") | |
| | stats count by clientip,_time | |
| | where count > X | |
| | appendpipe | |
| [ dedup clientip | |
| | map | |
| [ gentimes increment=1m | |
| [ noop | |
| | stats count |
| noop | stats count | fields
| eval num=mvrange(0,40,1) | mvexpand num
| eval _time=relative_time(now(),"-".num."d@d")
| eval day=strftime(_time,"%A - %F")
| timechart span=w count,list(day)
Have your search time range be at least: earliest=-40d@d latest=now otherwise you confuse the embedded bucket command by presenting data that's not in the time range.
| This is a Gist of useful Splunk Queries. |
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| @boxes = { | |
| centos510: {box:'opscode_centos-5.10_provisionerless',box_url:'http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-5.10_chef-provisionerless.box'}, | |
| centos65: {box:'opscode_centos-6.5_provisionerless',box_url:'http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box'}, | |
| } | |
| Vagrant.configure('2') do |config| | |
| config.berkshelf.enabled = false |
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| @boxes = { | |
| centos510: {box:'opscode_centos-5.10_provisionerless',box_url:'http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-5.10_chef-provisionerless.box'}, | |
| centos65: {box:'opscode_centos-6.5_provisionerless',box_url:'http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box'}, | |
| } | |
| Vagrant.configure('2') do |config| | |
| config.berkshelf.enabled = false |