- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count Dashboard for each ip based on traffic count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count Dashboard for each ip based on traffic count
Hi All,
I am trying to build the query to get the website hits for each IP, there are 16 servers ip and wanted to get the traffic served by each ip in every 15 mints. I have schedule script running in every 15 mints and writing below details in logs. Can you help how i can extract the hit counts for all ip and show for timechart span=15m.
Below is the log file capturing the ip and hit counts every 15 mints.
10.83.49.14
25155
10.83.49.17
21461
10.83.49.18
32736
10.83.49.21
15529
10.83.49.19
19987
10.83.49.20
16751
10.183.49.14
27953
Thanks, Ajay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ajat_semwal,For the community to assist you better please add more details.
what is the SPL you have tried so far and what is the output? Are above event separate events or multivalue within same event? If separate event do they have the same timestamp or not? Is there a way you can control what gets logged during IP and hits in your log? Is there any lookup kvstore which maintains the list of all available servers whether they have hit by specific server or not during entire timerange or not? Would you still want to always show all servers even if some of them do not have any hits for selected timerange? Is the log of Server IP and hits being stored, fetched in logs in specific format like csv or json?
Finally, if this is a new setup, do you have any Professional Service or Splunk SE contact you can help you with this kind of setup along with best practices?
Following is a run anywhere example which generates comma separated values similar to your question (since regular expression extraction depends on actual data feed this SPL might not directly work with your data). If data is in standard format field extraction can be controlled during ingestion or search time for automatic or predefined extraction.
| makeresults
| eval data="10.83.49.14,25155;10.83.49.17,21461;10.83.49.18,32736;10.83.49.21,15529;10.83.49.19,19987;10.83.49.20,16751;10.183.49.14,27953"
| append
[| makeresults
| eval _time=_time-900, data="10.83.49.14,10055;10.83.49.17,21461;10.83.49.18,20736;10.83.49.21,20529;10.83.49.19,23987;10.83.49.20,10751;10.183.49.14,32953"]
| append
[| makeresults
| eval _time=_time-1800, data="10.83.49.14,30055;10.83.49.17,15461;10.83.49.18,10736;10.83.49.21,25529;10.83.49.19,13987;10.83.49.20,15751;10.183.49.14,35953"]
| append
[| makeresults
| eval _time=_time-2700, data="10.83.49.14,20055;10.83.49.17,20461;10.83.49.18,15736;10.83.49.21,18529;10.83.49.19,30987;10.83.49.20,25751;10.183.49.14,15953"]
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex field=_raw "(?<serverIP>[^,]+),(?<hits>(\d+))"
| timechart span=15min sum(hits) as hits by serverIP cont=f
PS:
1. Commands till rename data as _raw generated raw data of comma separated Server IP and hits count.
2. I have added cont=f argument for timechart since I have generated only 4 data samples in the run anywhere example.
| makeresults | eval message= "Happy Splunking!!!"
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
