https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165864#M47163 <P>Hello,</P> <P>In each line of the logs ,there is an email, an IP address and a timestamp.</P> <P>I'd like to calculate for each day the top 1 (or top 5 or top 10) IPs which have the biggest number of distinct emails.</P> <P>I'm using this</P> <PRE><CODE>| bin span=1d _time | stats dc(email) by ip,_time </CODE></PRE> <P>but this doesn't do the trick since it prints a line for each IP and each day and I don't know to get only the top 5 dc(email) per IP</P> <P>I'd like the result to look like this</P> <PRE><CODE>_time dc(email) ip 2014-07-28 50 10.1.1.1 30 1.1.1.2 20 1.1.1.3 10 1.1.1.4 10 1.1.1.4 2014-07-29 120 10.9.1.1 85 25.1.1.2 45 34.1.1.3 35 26.1.1.4 15 42.1.1.4 </CODE></PRE> <P>Do you guys know how to do this?</P> Thu, 31 Jul 2014 17:15:13 GMT niboucher 2014-07-31T17:15:13Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165864#M47163 <P>Hello,</P> <P>In each line of the logs ,there is an email, an IP address and a timestamp.</P> <P>I'd like to calculate for each day the top 1 (or top 5 or top 10) IPs which have the biggest number of distinct emails.</P> <P>I'm using this</P> <PRE><CODE>| bin span=1d _time | stats dc(email) by ip,_time </CODE></PRE> <P>but this doesn't do the trick since it prints a line for each IP and each day and I don't know to get only the top 5 dc(email) per IP</P> <P>I'd like the result to look like this</P> <PRE><CODE>_time dc(email) ip 2014-07-28 50 10.1.1.1 30 1.1.1.2 20 1.1.1.3 10 1.1.1.4 10 1.1.1.4 2014-07-29 120 10.9.1.1 85 25.1.1.2 45 34.1.1.3 35 26.1.1.4 15 42.1.1.4 </CODE></PRE> <P>Do you guys know how to do this?</P> Thu, 31 Jul 2014 17:15:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165864#M47163 niboucher 2014-07-31T17:15:13Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165865#M47164 <P>Try something like this:</P> <P>|bucket _time span=1d | eventstats dc(email) by ip | top limit=5 dc(email),ip by _time |sort -_time, -dc(email)</P> Mon, 28 Sep 2020 17:13:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165865#M47164 aelliott 2020-09-28T17:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165866#M47165 <P>Updated the answer, should be good now.</P> Thu, 31 Jul 2014 18:10:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165866#M47165 aelliott 2014-07-31T18:10:31Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165867#M47166 <P>Another way of achieving the same</P> <PRE><CODE>your base search | bin span=1d _time | stats dc(email) as dc by ip,_time | sort _time,dc | streamstats count by _time | where count &lt; 6 </CODE></PRE> Thu, 31 Jul 2014 18:31:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165867#M47166 somesoni2 2014-07-31T18:31:23Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165868#M47167 <P>Wouldn't that be <CODE>where count &lt; 6</CODE>?</P> Fri, 01 Aug 2014 22:56:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165868#M47167 martin_mueller 2014-08-01T22:56:50Z https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165869#M47168 <P>It indeed should be &lt;6. Thanks for pointing it out. I guess I'm in mood for early Friday..</P> Fri, 01 Aug 2014 23:17:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-top-5-IPs-with-highest-distinct-count-emails-per/m-p/165869#M47168 somesoni2 2014-08-01T23:17:36Z