topic Re: Timechart with TIME, IPADDRESS and count in Splunk Search

Timechart with TIME, IPADDRESS and count

yatyat — Thu, 03 Feb 2022 09:37:13 GMT

Hi All,

I have below splunk data:

"new request: 127.0.0.1;url=login.jsp"

which contains the IPADDRESS (EX:127.0.0.1) and the URL (login.jsp)

I want to show a table which displays Number of requests made to (login.jsp) from every IPADDRESS on minute basis like below :

TimeStamp(Minutes) IPADDRESS COUNT

2022-01-13 22:03:00 ipaddress1 count1

2022-01-13 22:03:00 ipaddress2 count2

2022-01-13 22:03:00 ipaddress3 count3

2022-01-13 22:04:00 ipaddress1 count1

2022-01-13 22:04:00 ipaddress2 count2

which displays the count in descending order.

Please advise how to achieve this ?

Thanks

2022-01-13 22:04:00 ipaddress3 count3

Re: Timechart with TIME, IPADDRESS and count

PickleRick — Thu, 03 Feb 2022 09:30:34 GMT

It's not obvious whether you have problem with extraction or doing the stats.

But assuming your data is not parsed at all, you need something like that

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| timechart span=1m count by IPADDR

Re: Timechart with TIME, IPADDRESS and count

yatyat — Thu, 03 Feb 2022 09:44:12 GMT

It displays the data in this manner. It is difficult to get the data sorted by count manually.

sample

I need to get the highest number of requests made by an IPADDRESS in a minute. Can you please help?

Re: Timechart with TIME, IPADDRESS and count

PickleRick — Thu, 03 Feb 2022 11:20:55 GMT

Ahh, right. The timechart indeed does many separate series. You can do it a bit differently.

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| bin _time span=1m
| stats count by IPADDR _time
| sort - count