https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423379#M121509 <P>You can search directly like this:</P> <P>index="your index" "10.196.x.x"</P> Wed, 06 Mar 2019 20:33:10 GMT cvssravan 2019-03-06T20:33:10Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423376#M121506 <P>I have these pattern in logs and I want to search burst of requests coming from one IP address</P> <P>For example:</P> <P>line: 10.196.<EM>.</EM> - - [06/Mar/2019:09:28:41 +0000] "GET /info/moin_static155a/common/ie7/ie7-overflow.js HTTP/1.1" 404 17</P> Wed, 06 Mar 2019 10:02:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423376#M121506 varshna 2019-03-06T10:02:39Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423377#M121507 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/166179">@varshna</a>,</P> <P>If you have the IP address as a field in the events, you could search it with fieldname_of_ip="10.196..."<BR /> Or you shall extract the IP address from the events using <CODE>rex</CODE> and search with it<BR /> Or you can search directly in the events with <CODE>index="your index" TERM(10.196...)</CODE></P> Tue, 29 Sep 2020 23:34:47 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423377#M121507 renjith_nair 2020-09-29T23:34:47Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423378#M121508 <P>index=x IP=10.196.xx.xx | table *</P> <P>Where IP is column name. That should work unless I'm missing something.</P> Wed, 06 Mar 2019 13:34:11 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423378#M121508 JPaule 2019-03-06T13:34:11Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423379#M121509 <P>You can search directly like this:</P> <P>index="your index" "10.196.x.x"</P> Wed, 06 Mar 2019 20:33:10 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423379#M121509 cvssravan 2019-03-06T20:33:10Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423380#M121510 <P>I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.</P> Fri, 08 Mar 2019 06:05:05 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423380#M121510 varshna 2019-03-08T06:05:05Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423381#M121511 <P>I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.</P> Mon, 11 Mar 2019 04:57:03 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423381#M121511 varshna 2019-03-11T04:57:03Z https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423382#M121512 <P>@varshna,</P> <P>You can count the events per IP and compare it with previous counts and see if there is a sudden increase</P> <P>For eg. <CODE>index=your_index earliest=-2h |bucket span=1h _time|stats count by IP,_time</CODE></P> <P>Similarly for 5xx and 4xxx</P> Tue, 12 Mar 2019 03:57:20 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-search-all-request-based-on-IP-address/m-p/423382#M121512 renjith_nair 2019-03-12T03:57:20Z