topic Re: splunk time command question in Splunk Enterprise

splunk time command question

nnonm111 — Wed, 25 Aug 2021 05:30:55 GMT

I would like to know the ip that made status=404 more than 10 times in 10 minutes in a week. Please help me.

field list
ip = src_ip
status = status

Re: splunk time command question

danielcj — Wed, 25 Aug 2021 05:46:00 GMT

Hello,

Please verify the following query:

index=<your_index> sourcetype=<your_sourcetype> status=404 | transaction src_ip maxspan=10m | where eventcount > 10

Make sure to define your search time range to be executed in a week.

Thanks.

Re: splunk time command question

bowesmana — Wed, 25 Aug 2021 05:55:13 GMT

@nnonm111

Use the following

You_search status=404 | bin _time span=10m | stats count by src_ip _time | where count>10

I would recommend not using the transaction command as that is a very poor performing command to use for this purpose - depending on your data volume and number of IP addresses, you are likely to be a memory hog on the search head and may silently come up against server defined limits.

Using stats is very simple and efficient - the above bin command sets a time window and it will then count the occurrences of each IP within each 10 minute window.

The result set will give you each IP and each 10 minute window where the count exceeded 10.

Re: splunk time command question

nnonm111 — Wed, 25 Aug 2021 06:02:44 GMT

Then I'd like to confirm that you send a ping to another ip more than 10 times in 10 minutes.
Action = Ping
ip = clientip