Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk time command question

nnonm111
Path Finder
‎08-24-2021 10:30 PM

I would like to know the ip that made status=404 more than 10 times in 10 minutes in a week. Please help me.

field list
ip = src_ip
status = status

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2021 10:55 PM

@nnonm111 

Use the following

You_search status=404
| bin _time span=10m
| stats count by src_ip _time
| where count>10

I would recommend not using the transaction command as that is a very poor performing command to use for this purpose - depending on your data volume and number of IP addresses, you are likely to be a memory hog on the search head and may silently come up against server defined limits.

Using stats is very simple and efficient - the above bin command sets a time window and it will then count the occurrences of each IP within each 10 minute window.

The result set will give you each IP and each 10 minute window where the count exceeded 10. 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-24-2021 10:55 PM

@nnonm111 

Use the following

You_search status=404
| bin _time span=10m
| stats count by src_ip _time
| where count>10

I would recommend not using the transaction command as that is a very poor performing command to use for this purpose - depending on your data volume and number of IP addresses, you are likely to be a memory hog on the search head and may silently come up against server defined limits.

Using stats is very simple and efficient - the above bin command sets a time window and it will then count the occurrences of each IP within each 10 minute window.

The result set will give you each IP and each 10 minute window where the count exceeded 10. 

 

0 Karma
Reply
Solved! Jump to solution

nnonm111
Path Finder
‎08-24-2021 11:02 PM

Then I'd like to confirm that you send a ping to another ip more than 10 times in 10 minutes.
Action = Ping
ip = clientip

Tags (2)
0 Karma
Reply
Solved! Jump to solution

danielcj
Communicator
‎08-24-2021 10:46 PM

Hello,

Please verify the following query:

index=<your_index> sourcetype=<your_sourcetype> status=404 
| transaction src_ip maxspan=10m 
| where eventcount > 10


Make sure to define your search time range to be executed in a week.

 

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...