Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generate report by IP from DDoS Attacks

phatlenix
New Member
‎02-16-2011 09:45 PM

We keep getting DDoS attacks that target our web applications. I've setup Splunk and have all of our servers forwarding logs via syslog-ng which works like a charm.

I also setup an extracted field called "ip" that extracts the ip address from the apache logs which also works great.

I can't seem to figure how do I create a timeline chart with the count of each hit/event so I can determine who is at the top of the list.

When I "generate report.." that works fine, but how do I use my custom field as a search query? I've used:

sourcetype="access_combined" count(ip)

and can't get any results.

Any tips? Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-16-2011 10:12 PM 
sourcetype="access_combined" | timechart count by ip

You might want to check out this Splunk search tutorial: http://www.splunk.com/base/Documentation/4.1.7/User/WelcometotheSplunkTutorial

There are sub-tutorials for the stats, chart, and timechart commands: http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Timechart http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Chart http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Stats

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-16-2011 10:12 PM 
sourcetype="access_combined" | timechart count by ip

You might want to check out this Splunk search tutorial: http://www.splunk.com/base/Documentation/4.1.7/User/WelcometotheSplunkTutorial

There are sub-tutorials for the stats, chart, and timechart commands: http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Timechart http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Chart http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Stats

Reply
Solved! Jump to solution

phatlenix
New Member
‎02-16-2011 11:46 PM

Yea, that's what I figured but after making sure I wasn't retarded... I renamed by field to 'xxx' rather than 'ip' and it worked like a charm. Perhaps "ip" is reserved/cannot be used 🙂

Thanks for the help though

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...