Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IP address of highest Uri count

naval1992
Engager
‎09-27-2020 11:54 PM

I used this  query to get the count of Uri and IP 

"index=*index* host="*host*" status = "400" OR "404" OR "500" OR "403" status!="200" status!="NULL" NOT "GoogleBot" status=404 | top limit=10 uri |where count > 9 | append[ search index=*index* source=*source*| top limit=10 Real_IP | where count > 10]"

I need the query search that automatically it picks the highest value of Uri count and shows the IP address corresponding to this Uri  along with Uri 

Labels (1)
Labels
0 Karma
Reply

naval1992
Engager
‎09-29-2020 04:25 AM

I want that I already got different  of Real_IP that is hitting  for particular URI I just want to add a count of this different Real_IP that occurred how many times basically as you can see in the image particular URI count is 200 and the corresponding IP are may I just want out of these IP which occurred how  many time  in the same query that i have created 

 

0 Karma
Reply

me74fhfd
Path Finder
‎09-28-2020 04:37 AM

I think what you want to do is first list count with corresponding IP addresses as you've done in code and then add this line of SPL at the end:

| stats max(count) by Real_IP | head 1

btw. try not to use control words in SPL like count, event etc because there is a good chance it will return an error. Let me know if that works

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...