Getting Data In

How to get top x-forwarded-for ip addess in apache access log ?

New Member


My data same :, - - [08/Jun/2014:13:16:08 +0000] "POST /index.php HTTP/1.1" 200 40 "" "Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; GT-S5300 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" BytesIn:3342 Bytes:596 Time:87556 Process:31989 Conn:+ Host:localhost, - - [08/Jun/2014:13:16:08 +0000] "GET /sa-ar/%D8%A8%D9%84%D8%A7%D9%83-%D8%A8%D9%8A%D8%B1%D9%8A-q10-%D8%B3%D8%B9%D8%A9-16-%D8%AC%D9%8A%D8%AC%D8%A7%D8%A8%D8%A7%D9%8A%D8%AA-%D9%86%D8%B8%D8%A7%D9%85-%D8%A7%D9%84%D8%AA%D8%B4%D8%BA%D9%8A%D9%84-%D8%A8%D9%84%D8%A7%D9%83-%D8%A8%D9%8A%D8%B1%D9%8A-10-%D9%88%D8%A7%D9%8A-%D9%81%D8%A7%D9%8A-+-lte-%D8%A7%D9%84%D8%AC%D9%8A%D9%84-%D8%A7%D9%84%D8%B1%D8%A7%D8%A8%D8%B9-%D8%A3%D8%A8%D9%8A%D8%B6-%D8%B0%D9%87%D8%A8%D9%8A-6971438/i/ HTTP/1.1" 200 31265 "/sa-ar/%D8%B0%D9%87%D8%A8%D9%8A/%D9%85%D9%88%D8%A8%D8%A7%D9%8A%D9%84%D8%A7%D8%AA--bslash--%D8%AC%D9%88%D8%A7%D9%84%D8%A7%D8%AA-33/a-t/s/?seller=DOD_KSA%2Ctest-Shop&rpp=10&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=dod_sa_ar_a_080614_O&utm_content=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" BytesIn:4103 Bytes:31824 Time:950381 Process:31922 Conn:+ Host:localhost, - - [08/Jun/2014:13:16:09 +0000] "GET /sa-ar/casio/s/ HTTP/1.1" 200 20351 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +/bot.html)" BytesIn:388 Bytes:21087 Time:794695 Process:31985 Conn:+ Host:localhost

How I can get number of Ip address on column
Like :
ip_list count 2 1


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Assuming you are using the directives in the default sourcetype of access_combined_wcookie and your ip address field is called clientip... you want this:

index=whatever sourcetype=whatever |top clientip|fields - percent

the "top" command will give you a percent column as well as a count column so you can remove it with 'fields'. you can adjust how many ip addresses show by adding limit= |top limit=20 clientip

If you want all your ip addresses you could just say |stats count by clientip|sort -count

You might want to take a look at this book available on Amazon (kindle version is $18.00) which will take you through a nice slow lesson on how to use the search language.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!