topic Re: Find repeating rows from a specific client in Splunk Search

Find repeating rows from a specific client

jensolsson83 — Mon, 25 Jul 2016 10:02:53 GMT

I am logging from Amazon ELB and I have some particular clients that seem to have a bug that causes them to flood the server with the same request over and over. Usually the server receive around 1000 requests during 1-2 seconds then it will stop. This happens around once a week. I would like to locate all these instances and put them in a table. In Splunk I have the following parameters available that I would like to group on:
deviceGuid
I would like to have a list showing the following each time count > 100:
DateTime, deviceGuid, deviceBrand, deviceModel, count

For example this would be perfect if I can achieve:

2016-01-01 00:00:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,900
2016-01-01 00:05:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,800
2016-01-01 00:05:00,2e718d56-91bf-401c-a305-79bc638ac705,IBM,ThinkPad 500,900

I would like DateTime of the span together deviceGuid to be unique on each row

This is what I have so far
host=cloudserver ClientConfig | timechart span=5sec count | where count > 100

Is this doable?

Re: Find repeating rows from a specific client

sundareshr — Mon, 25 Jul 2016 11:58:38 GMT

Try this

host=cloudserver ClientConfig | bin span=5s _time | eventstats count by ClientConfig _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count

Re: Find repeating rows from a specific client

jensolsson83 — Mon, 25 Jul 2016 12:12:48 GMT

host=cloudserver ClientConfig | bin span=5s _time | eventstats count by ClientConfig _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count

Did not generate any results

I changed it like this:
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by deviceGuid _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count

And now the list colums show as expected however there are many 100% equal rows with the exact same time, deviceguid. devicemodel, count.

Re: Find repeating rows from a specific client

jensolsson83 — Mon, 25 Jul 2016 12:15:14 GMT

This actually seem to made it. Is this correct?

Re: Find repeating rows from a specific client

sundareshr — Mon, 25 Jul 2016 12:51:38 GMT

I guess I mis-understood you question. I thought you wanted to see all the repeating events, sounds like you want to only see one of the repeating events, right?. Your change should work, or you can try this change.

host=cloudserver ClientConfig | bin span=5s _time | eventstats count by deviceGuid _time | where count>100 | stats count by _time deviceGuid, deviceBrand, deviceModel

Re: Find repeating rows from a specific client

jensolsson83 — Mon, 25 Jul 2016 12:52:57 GMT

Thanks! works perfectly