https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53654#M13044 <P>well I did it through CLI: # ./splunk search "host=\"20.20.20.5\" denied" | awk '{ print $14 }' | sort | uniq -c , but how to do it through webinterface?</P> Thu, 06 Sep 2012 21:00:04 GMT janfabo 2012-09-06T21:00:04Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53653#M13043 <P>Hello, I'm trying to write search, that will show me denied ip's sorted by it's count, like this:<BR /> host="1.1.1.1" denied | stats sum(count) as count by src_ip | graph, but this only shows me number of matching events and no stats. I'd like to visualize result in form of either table or chart. Could you please advise me how to do that? Thanx in advance.</P> Thu, 06 Sep 2012 20:45:42 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53653#M13043 janfabo 2012-09-06T20:45:42Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53654#M13044 <P>well I did it through CLI: # ./splunk search "host=\"20.20.20.5\" denied" | awk '{ print $14 }' | sort | uniq -c , but how to do it through webinterface?</P> Thu, 06 Sep 2012 21:00:04 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53654#M13044 janfabo 2012-09-06T21:00:04Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53655#M13045 <P>Something like this :</P> <PRE><CODE>host="20.20.20.5" denied | chart count by src_ip </CODE></PRE> <P>?</P> Thu, 06 Sep 2012 21:59:52 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53655#M13045 jonuwz 2012-09-06T21:59:52Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53656#M13046 <P>well, this shows 0 results even if there are 10 matching events (1). See the picture <A href="http://imm.io/DtsJ">here</A>. When I click 2 at the picture there is 10 log records. Maybe I have something misconfigured...</P> Fri, 07 Sep 2012 06:24:21 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53656#M13046 janfabo 2012-09-07T06:24:21Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53657#M13047 <P>Can you post a sample of the data?</P> Fri, 07 Sep 2012 06:34:12 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53657#M13047 jonuwz 2012-09-07T06:34:12Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53658#M13048 <P>First of all, <CODE>src_ip</CODE> must actually be a field that exists in the data and is extracted by Splunk.</P> <P>If it is, then</P> <PRE><CODE>... "denied" | top src_ip </CODE></PRE> <P>or</P> <PRE><CODE>... "denied" | stats count by src_ip | sort - count </CODE></PRE> Fri, 07 Sep 2012 06:46:39 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53658#M13048 gkanapathy 2012-09-07T06:46:39Z https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53659#M13049 <P>Great, it works! The field didn't exists, after adding extraction rule everything works. thanks.</P> Sat, 08 Sep 2012 05:52:17 GMT https://community.splunk.com/t5/Splunk-Search/group-ip-by-count/m-p/53659#M13049 janfabo 2012-09-08T05:52:17Z