topic Re: Splunk search - chart the number of hits from each IP over a fixed range in Splunk Search

Splunk search - chart the number of hits from each IP over a fixed range

asdfxqwert — Wed, 16 Aug 2017 23:54:33 GMT

We have the below data:

IP           Count
A            50
B            100
C            20
D            60
E            10
F            90

We have to chart it as below. Any pointers would be helpful

1-20    2
20-50   2
50-100  3

Re: Splunk search - chart the number of hits from each IP over a fixed range

lfedak_splunk — Thu, 17 Aug 2017 00:08:47 GMT

Hey @asdfxqwert, Do you want 20 and 50 to be inclusive in both ranges? Asking because your range on line 3 doesn't match your range on line 2 in that sense. (There are 2 values in the 20-50 range inclusive of 20 and there are 4 values in the 50-100 range inclusive of 50). Either way, publishing so the experts can help you chart this. 🙂

Re: Splunk search - chart the number of hits from each IP over a fixed range

asdfxqwert — Thu, 17 Aug 2017 00:12:24 GMT

Hi @lfedak-splunk

Thanks for spotting the issue. The range should be exclusive.

1-20
21-50
51-100 etc

Also, the range can be dynamic. So, it would be great to have a function(user defined or existing) to define the range as per the requirement.

Thanks for publishing !

Re: Splunk search - chart the number of hits from each IP over a fixed range

kmorris_splunk — Thu, 17 Aug 2017 00:35:07 GMT

You could use the rangemap command:

YOUR BASE SEARCH 
| rangemap field=Count "1-20"=1-20 "21-50"=21-50 "51-100"=51-100 default=">100" 
| stats count by range

This assumes the fieldname that holds the value is called Count like it shows in your data sample.

Re: Splunk search - chart the number of hits from each IP over a fixed range

asdfxqwert — Thu, 17 Aug 2017 17:01:43 GMT

@kmorris_splunk

The count is actually not a fieldname. It is derived from the number of occurrences of the IP

Thank you

Re: Splunk search - chart the number of hits from each IP over a fixed range

lfedak_splunk — Thu, 17 Aug 2017 18:12:09 GMT

Sure thing!

Re: Splunk search - chart the number of hits from each IP over a fixed range

kmorris_splunk — Thu, 17 Aug 2017 18:54:16 GMT

Try something like this. It is different than your search, but you will get the idea:

sourcetype=access_combined 
| stats count as Count by action 
| rangemap field=Count "900-950"=900-950 "951-1000"=951-1000 default=">1000" 
| table action range

Re: Splunk search - chart the number of hits from each IP over a fixed range

asdfxqwert — Thu, 17 Aug 2017 23:32:13 GMT

@kmorris_splunk

Thank you, it worked !