We keep getting DDoS attacks that target our web applications.
I've setup Splunk and have all of our servers forwarding logs via syslog-ng which works like a charm.
I also setup an extracted field called "ip" that extracts the ip address from the apache logs which also works great.
I can't seem to figure how do I create a timeline chart with the count of each hit/event so I can determine who is at the top of the list.
When I "generate report.." that works fine, but how do I use my custom field as a search query? I've used:
and can't get any results.
sourcetype="access_combined" | timechart count by ip
You might want to check out this Splunk search tutorial:
There are sub-tutorials for the stats, chart, and timechart commands:
View solution in original post
Yea, that's what I figured but after making sure I wasn't retarded... I renamed by field to 'xxx' rather than 'ip' and it worked like a charm. Perhaps "ip" is reserved/cannot be used 🙂
Thanks for the help though