Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find top 20 client IPs that generate the most errors and display individual error status counts for each client IP

Kaitrono
Engager
‎06-23-2015 10:46 AM

I have only been using Splunk for a few days and couldn't find an answer to this question.
I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).
I'm able to get a list of all client IPs right now

index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500) 
| stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip 
| sort -"Total Errors"

This creates a table like so:

clientip   | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count 
142.182.28 |      20      |    13     |     5     |     1     |     1     |     0

I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.

Tags (5)
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-23-2015 11:04 AM

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line: 

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-23-2015 11:04 AM

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line: 

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"
Reply
Solved! Jump to solution

Kaitrono
Engager
‎06-23-2015 11:20 AM

Thank you! I was not aware sort could take that parameter and this worked.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2015 11:04 AM

How about ... | sort - "Total Errors" | top limit=20 "Total Errors" ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎06-23-2015 11:07 AM

Except that using top would eliminate the all of the other fields, "clientip", and the "### Count"

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...