Re: IP address of highest Uri count

naval1992 · ‎09-27-2020

I used this query to get the count of Uri and IP

"index=*index* host="*host*" status = "400" OR "404" OR "500" OR "403" status!="200" status!="NULL" NOT "GoogleBot" status=404 | top limit=10 uri |where count > 9 | append[ search index=*index* source=*source*| top limit=10 Real_IP | where count > 10]"

I need the query search that automatically it picks the highest value of Uri count and shows the IP address corresponding to this Uri along with Uri

naval1992 · ‎09-29-2020

I want that I already got different of Real_IP that is hitting for particular URI I just want to add a count of this different Real_IP that occurred how many times basically as you can see in the image particular URI count is 200 and the corresponding IP are may I just want out of these IP which occurred how many time in the same query that i have created

me74fhfd · ‎09-28-2020

I think what you want to do is first list count with corresponding IP addresses as you've done in code and then add this line of SPL at the end:

| stats max(count) by Real_IP | head 1

btw. try not to use control words in SPL like count, event etc because there is a good chance it will return an error. Let me know if that works

IP address of highest Uri count

using Splunk Enterprise

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!