topic Re: How to find count of occurrences of each IP for the first 15 mins starting from the first occurrence of each IP ? in Splunk Search

How to find count of occurrences of each IP for the first 15 mins starting from the first occurrence of each IP ?

sambit_kabi — Tue, 11 Feb 2020 17:58:07 GMT

Say I have an index A which has all the IPs logged during the day. So every event has an IP and the timestamp it was seen.

What I need to find is the count of the occurrence of each IP for the first 15 mins starting from the timestamp of the first occurrence of the IP.

Example: Say I find IP 1.2.3.4 at 10:00, 10:05,10:12, 10:16,10:20 and IP 9.8.7.6 at 11:00, 11:05, 11:10, 11:20.

For IP 1.2.3.4 the first occurrence was at 10:00 . So in the first 15 mins which is from 10:00 till 10:15 I get the occurrence count as 3. Occurrence at 10:16 and 10:20 is ignored.

Similarly for IP 9.8.7.6 the first occurrence was at 11:00 , so the first 15 mins i.e from 11:00 to 11:15 the occurrence count is 3. 11:20 occurrence is ignored.

So basically I want a search query which will give me the count of occurrence of each IP for the first 15 mins starting from the first occurrence of each IP.

The search result here would be
1.2.3.4 3
9.8.7.6 3

Re: How to find count of occurrences of each IP for the first 15 mins starting from the first occurrence of each IP ?

nickhills — Tue, 11 Feb 2020 18:15:01 GMT

Here is a couple of ways:

<your search>|bin span=15m _time
|stats count by IPaddress,_time
| sort + _time
| dedup IPaddress

That will use arbitrary 15 min blocks, 00,15,30,45 etc.

If you want the 15 mins to start from the time of the first event:

<your search>|transaction IPAddress maxspan=900
| sort + _time
| dedup IPAddress
| table IPAddress _time eventcount

Re: How to find count of occurrences of each IP for the first 15 mins starting from the first occurrence of each IP ?

sambit_kabi — Thu, 13 Feb 2020 05:09:34 GMT

Thanks for the prompt reply . It works . Thanks again. Got to learn a new command.