https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25083#M177535 <P>Hi there,</P> <P>I can't for the life of me figure out how to do the following.</P> <P>I'm analysing some standard web logs.</P> <P>I want to be able to find out when any unique IP address accesses a particular URI path more than once a second.</P> <P>The starting point I have for this is as follows:</P> <PRE><CODE>uri_path=/foo | span=1s timechart dc(clientip) </CODE></PRE> <P>This shows me when the distinct count of IP addresses accessing this URL per 1 second intervals BUT it includes all instances where the requests are made just once during this span. I only want a distinct count of the IP addresses that requested the URL more than once in the 1 second span.</P> <P>Does anyone have any idea how to do this?</P> <P>Many thanks.</P> Fri, 03 Aug 2012 12:16:24 GMT monkey 2012-08-03T12:16:24Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25083#M177535 <P>Hi there,</P> <P>I can't for the life of me figure out how to do the following.</P> <P>I'm analysing some standard web logs.</P> <P>I want to be able to find out when any unique IP address accesses a particular URI path more than once a second.</P> <P>The starting point I have for this is as follows:</P> <PRE><CODE>uri_path=/foo | span=1s timechart dc(clientip) </CODE></PRE> <P>This shows me when the distinct count of IP addresses accessing this URL per 1 second intervals BUT it includes all instances where the requests are made just once during this span. I only want a distinct count of the IP addresses that requested the URL more than once in the 1 second span.</P> <P>Does anyone have any idea how to do this?</P> <P>Many thanks.</P> Fri, 03 Aug 2012 12:16:24 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25083#M177535 monkey 2012-08-03T12:16:24Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25084#M177536 <P>Add a filter condition after :</P> <PRE> uri_path=/foo | span=1s timechart dc(clientip) AS distinct_ip | where distinct_ip &gt;1 </PRE> Fri, 03 Aug 2012 15:33:36 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25084#M177536 yannK 2012-08-03T15:33:36Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25085#M177537 <P>Thanks, yannK, but that doesn't quite achieve what I want: it charts data when more than one distinct client IP appears in one second. I only want to chart the count of distinct client IPs where the count of each distinct client IP is more than one.</P> <P>192.168.1.1<BR /> 192.168.1.1<BR /> 192.168.2.2</P> <P>I.e. if the above client IPs appear in one second, I want to chart "1" for that second (since 192.168.1.1 appears twice).</P> <P>192.168.1.1<BR /> 192.168.2.2<BR /> 192.168.3.3</P> <P>If the above appear in one second, I want to chart "0" for that second.</P> Sat, 04 Aug 2012 08:23:43 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25085#M177537 monkey 2012-08-04T08:23:43Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25086#M177538 <P>ok so you want how many time EACH distinct ip connects in a 1 second windows. exclude all the ones that connected only one, <BR /> then count the number of those distinct ips per second.</P> <PRE> uri_path=/foo | bucket _time span=1s | stats count by _time clientip | where count &gt;1 | timechart span=1s dc(clientip) as distinct_ip </PRE> Sun, 05 Aug 2012 05:06:01 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25086#M177538 yannK 2012-08-05T05:06:01Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25087#M177539 <P>did it worked for you ?</P> Mon, 03 Sep 2012 07:09:22 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-when-grouped-events-meet-certain-criteria/m-p/25087#M177539 yannK 2012-09-03T07:09:22Z