Top 10 Most Active Hosts in a Linux Environment

The following splunk query example will return the top 10 most active hosts in a given time range. Active in this instance is determined simply the number of log entries. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of "host"

sourcetype=linux_secure |rex ".*:\d{2}\s(?<hostname>\S+)" | top limit=10 hostname