Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IP address of highest Uri count

naval1992
Engager
‎09-27-2020 11:54 PM

I used this  query to get the count of Uri and IP 

"index=*index* host="*host*" status = "400" OR "404" OR "500" OR "403" status!="200" status!="NULL" NOT "GoogleBot" status=404 | top limit=10 uri |where count > 9 | append[ search index=*index* source=*source*| top limit=10 Real_IP | where count > 10]"

I need the query search that automatically it picks the highest value of Uri count and shows the IP address corresponding to this Uri  along with Uri 

Labels (1)
Labels
0 Karma
Reply

naval1992
Engager
‎09-29-2020 04:25 AM

I want that I already got different  of Real_IP that is hitting  for particular URI I just want to add a count of this different Real_IP that occurred how many times basically as you can see in the image particular URI count is 200 and the corresponding IP are may I just want out of these IP which occurred how  many time  in the same query that i have created 

 

0 Karma
Reply

me74fhfd
Path Finder
‎09-28-2020 04:37 AM

I think what you want to do is first list count with corresponding IP addresses as you've done in code and then add this line of SPL at the end:

| stats max(count) by Real_IP | head 1

btw. try not to use control words in SPL like count, event etc because there is a good chance it will return an error. Let me know if that works

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...