Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IP address of highest Uri count

naval1992
Engager
‎09-27-2020 11:54 PM

I used this  query to get the count of Uri and IP 

"index=*index* host="*host*" status = "400" OR "404" OR "500" OR "403" status!="200" status!="NULL" NOT "GoogleBot" status=404 | top limit=10 uri |where count > 9 | append[ search index=*index* source=*source*| top limit=10 Real_IP | where count > 10]"

I need the query search that automatically it picks the highest value of Uri count and shows the IP address corresponding to this Uri  along with Uri 

Labels (1)
Labels
0 Karma
Reply

naval1992
Engager
‎09-29-2020 04:25 AM

I want that I already got different  of Real_IP that is hitting  for particular URI I just want to add a count of this different Real_IP that occurred how many times basically as you can see in the image particular URI count is 200 and the corresponding IP are may I just want out of these IP which occurred how  many time  in the same query that i have created 

 

0 Karma
Reply

me74fhfd
Path Finder
‎09-28-2020 04:37 AM

I think what you want to do is first list count with corresponding IP addresses as you've done in code and then add this line of SPL at the end:

| stats max(count) by Real_IP | head 1

btw. try not to use control words in SPL like count, event etc because there is a good chance it will return an error. Let me know if that works

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...