https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432796#M167706 <P>I guess you could do the following:</P> <P>Sort by host and time in such a way that events are grouped by host and within that grouping sorted by time<BR /> Use a command like streamstats to give events a sequence number (restarting on host change)<BR /> Sort by host and query text in such a way that events are still grouped by host but within that grouping sorted by query text<BR /> Use the delta command to detect whether the sequence numbers are still in the same order, or completely mixed up</P> Wed, 29 Aug 2018 08:12:54 GMT FrankVl 2018-08-29T08:12:54Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432790#M167700 <P>Hi there</P> <P>I have many log-entries with the two fields "host_address" (an IP address) and "query" (a search query). One entry per query. I would like to figure out which "host_addresses" do their queries in alphabetical order. That's it.</P> <P>To be honest: I have no idea where to start!</P> <P>The only thing I found was the following article:</P> <P>[<A href="https://www.splunk.com/blog/2017/06/16/detecting-brute-force-attacks-with-splunk.html%5D%5B1" target="_blank">https://www.splunk.com/blog/2017/06/16/detecting-brute-force-attacks-with-splunk.html][1</A>]</P> <P>but it does not really help me eather. Can anyone?</P> <P>Best regards, Dominic</P> Tue, 29 Sep 2020 21:04:37 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432790#M167700 switch_dast 2020-09-29T21:04:37Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432791#M167701 <P>@switch_dast,</P> <P>It couldn't be that simple, but are your looking for</P> <PRE><CODE>index=* | table host_address,query|sort query </CODE></PRE> Tue, 28 Aug 2018 14:28:22 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432791#M167701 renjith_nair 2018-08-28T14:28:22Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432792#M167702 <P>I dont think so.. I don't want so see the queries in sorted order - I want to know which hosts issue their queries in alphabetical order</P> Tue, 28 Aug 2018 14:33:35 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432792#M167702 switch_dast 2018-08-28T14:33:35Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432793#M167703 <P>... and I don't want to figure out if the order is alphabetical by eye. Splunk should give me a list of host_addresses which behave like that. Late I want to generate alerts for hosts which behave in that way</P> Tue, 28 Aug 2018 14:38:15 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432793#M167703 switch_dast 2018-08-28T14:38:15Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432794#M167704 <P>Can you give example of what you'd call host_addresses in alphabetical order? </P> Tue, 28 Aug 2018 15:43:32 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432794#M167704 somesoni2 2018-08-28T15:43:32Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432795#M167705 <P>Multiple Hosts invoke multiple text-based search-queries and I would like to know which hosts apply there SEARCH-QUERIES in alphabetical order. Usually they should be in more a or less random order. So I dan't care about the alphabetical order of the host_addresses but of the seach-queries!</P> Wed, 29 Aug 2018 06:27:45 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432795#M167705 switch_dast 2018-08-29T06:27:45Z https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432796#M167706 <P>I guess you could do the following:</P> <P>Sort by host and time in such a way that events are grouped by host and within that grouping sorted by time<BR /> Use a command like streamstats to give events a sequence number (restarting on host change)<BR /> Sort by host and query text in such a way that events are still grouped by host but within that grouping sorted by query text<BR /> Use the delta command to detect whether the sequence numbers are still in the same order, or completely mixed up</P> Wed, 29 Aug 2018 08:12:54 GMT https://community.splunk.com/t5/Splunk-Search/Find-Hosts-which-do-their-searches-in-alphabetical-order/m-p/432796#M167706 FrankVl 2018-08-29T08:12:54Z