Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count New IPs Accessed Over Time

ky129q
Engager
‎06-15-2021 08:37 AM

We have a daily report that generates an event each time an IP is accessed each day.  In order to determine the number of new IPs accessed today that have never been accessed before we use the following query:

sourcetype=report_900 earliest=-1d@d latest=now NOT 
    [search sourcetype=report_900 earliest=1 latest=-1d@d 
    |  stats count by IPv4Address 
    | table IPv4Address] 
| stats count by IPv4Address
| table IPv4Address
| stats count

What we would like to have is a query that produces a timechart of the the number of new IPs accessed each day.

If the data shows the following IP access for the day  (each letter represents a different IP)

2021/01/01 IPs:  A,B,C,A,A

2021/01/02 IPs: B,D,E,B,E

2021/01/03 IPs: A,D,E,A,A

2021/01/04 IPs: B,C,F,C

We would get the following results:

2021/01/01     3

2021/01/02     2

2021/01/03     0

2021/01/04     1

Any suggestions on how this can be accomplished?

Also, any suggestions on improving the performance of our original query?

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2021 09:41 AM 
sourcetype=report_900 earliest=1 latest=now
| bin _time span=1d
| stats values(IPv4Address) as IPv4Address by _time
| streamstats dc(IPv4Address) as countip
| streamstats window=1 current=f values(countip) as previouscount
| fillnull value=0 previouscount
| eval change=countip-previouscount

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2021 09:41 AM 
sourcetype=report_900 earliest=1 latest=now
| bin _time span=1d
| stats values(IPv4Address) as IPv4Address by _time
| streamstats dc(IPv4Address) as countip
| streamstats window=1 current=f values(countip) as previouscount
| fillnull value=0 previouscount
| eval change=countip-previouscount
0 Karma
Reply
Solved! Jump to solution

ky129q
Engager
‎06-21-2021 03:58 AM

Exactly what I wanted.  Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...