Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Find repeating rows from a specific client
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am logging from Amazon ELB and I have some particular clients that seem to have a bug that causes them to flood the server with the same request over and over. Usually the server receive around 1000 requests during 1-2 seconds then it will stop. This happens around once a week. I would like to locate all these instances and put them in a table. In Splunk I have the following parameters available that I would like to group on:
deviceGuid
I would like to have a list showing the following each time count > 100:
DateTime, deviceGuid, deviceBrand, deviceModel, count
For example this would be perfect if I can achieve:
2016-01-01 00:00:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,900
2016-01-01 00:05:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,800
2016-01-01 00:05:00,2e718d56-91bf-401c-a305-79bc638ac705,IBM,ThinkPad 500,900
I would like DateTime of the span together deviceGuid to be unique on each row
This is what I have so far
host=cloudserver ClientConfig | timechart span=5sec count | where count > 100
Is this doable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by ClientConfig _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by ClientConfig _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by ClientConfig _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count
Did not generate any results
I changed it like this:
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by deviceGuid _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count
And now the list colums show as expected however there are many 100% equal rows with the exact same time, deviceguid. devicemodel, count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This actually seem to made it. Is this correct?
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by deviceGuid _time | where count>100 | table _time deviceGuid, deviceBrand, deviceModel, count | dedup _time deviceGuid, deviceBrand, deviceModel, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess I mis-understood you question. I thought you wanted to see all the repeating events, sounds like you want to only see one of the repeating events, right?. Your change should work, or you can try this change.
host=cloudserver ClientConfig | bin span=5s _time | eventstats count by deviceGuid _time | where count>100 | stats count by _time deviceGuid, deviceBrand, deviceModel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! works perfectly
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
