Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find top 20 client IPs that generate the most errors and display individual error status counts for each client IP

Kaitrono
Engager
‎06-23-2015 10:46 AM

I have only been using Splunk for a few days and couldn't find an answer to this question.
I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).
I'm able to get a list of all client IPs right now

index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500) 
| stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip 
| sort -"Total Errors"

This creates a table like so:

clientip   | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count 
142.182.28 |      20      |    13     |     5     |     1     |     1     |     0

I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.

Tags (5)
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-23-2015 11:04 AM

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line: 

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-23-2015 11:04 AM

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line: 

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"
Reply
Solved! Jump to solution

Kaitrono
Engager
‎06-23-2015 11:20 AM

Thank you! I was not aware sort could take that parameter and this worked.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2015 11:04 AM

How about ... | sort - "Total Errors" | top limit=20 "Total Errors" ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-23-2015 11:07 AM

Except that using top would eliminate the all of the other fields, "clientip", and the "### Count"

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...