Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search web traffic from a particular ip address, count hostnames by 15 minute incriments | then chart count by catdesc.

DW2054
Engager
‎09-19-2014 09:15 AM

What I am trying to get:
A 14 days chart of category descriptions that has a meaningful count. Right now I see things like:

Type____________________________________________________________Count
Search Engines and Portal 7000

What I would like it be"
Type_______________________________________________________________Count
Search Engines and Portal 344

On the back end a person went to google and did multiple searches for ~ 15 minutes a day over 14 days.

Detailed thoughts:
Look at a ip address's website traffic over 14 days, distinguish visit to a site vice numerous log entries due to initial visit to a site (walmart.com pulls something like 6-9 different events). Transform that into catdesc to show # of visits to a particular type over 14 days.

What I had originally tried was:
(IP address) www.*| chart count by catdesc limit=0 | sort -count

Thank you!

Tags (2)
0 Karma
Reply

ryangibson99
Explorer
‎09-19-2014 12:44 PM

I might do something like this. I don't know if it's the most efficient or whatever but hope this helps. I like to use list rather than values but I guess I'm the only one. Maybe look at the values command as well.

ipaddress www.*(I'm guessing this is a source or sourcetype?) | bucket span=15m _time | stats list(catdesc) AS Description, list(count) as Count by (ipaddress/hostname) | sort -Count

0 Karma
Reply

DW2054
Engager
‎09-19-2014 03:37 PM

Ryan,

Thank you for the answer, I really appreciate it.

This is what I used: (time 24 hours)
(IP Adress) www.*| bucket span=15m _time | stats list(catdesc) AS Description, list(count) as count by hostname | sort -Count

I get:
Hostname Description Count
Google Search Engines and Portals was blank.

Do you know how to covert the descriptions to counts and only show:

Google Search Engines and Portals 37.

Does the bucket span 15 take the length (24 hours) and break it down into 15 minute increments?

Thank you

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...