Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get top 3 IP's for each user in top 10 list

splunklearner12
Path Finder
‎06-18-2019 08:23 AM

I have a list of top 10 users, but I also want the top 3 IP addresses used by those users in a table. Some users will have only used 1 IP while other users have sent traffic from more than 3 IP addresses. I can get top 3 IP's per user: "blah | top client_ip by user limit=3" but I can't get it into the top 10 overall users list. Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎06-18-2019 11:19 AM

@splunklearner1234 Below search should work. your base search will be same in subsearch and main search(index=indexname>sourcetype=sourcetypename)

<your base search>| stats count as ipcount  by user src|  sort 0  -ipcount| streamstats count as ucount by user| where ucount <=3| append[search <your base search>| top user ]| eventstats sum(count) as sum by user | where sum>0 and ucount>0|sort -sum user| fields - count percent ucount

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-18-2019 11:56 AM

Hi @splunklearner1234,

Lots of ways to do this, the easiest is :

 | top 3 IP BY users

More ways to do so described here :
https://answers.splunk.com/answers/750232/show-top-5-values-in-column-chart.html#comment-753389

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎06-18-2019 11:19 AM

@splunklearner1234 Below search should work. your base search will be same in subsearch and main search(index=indexname>sourcetype=sourcetypename)

<your base search>| stats count as ipcount  by user src|  sort 0  -ipcount| streamstats count as ucount by user| where ucount <=3| append[search <your base search>| top user ]| eventstats sum(count) as sum by user | where sum>0 and ucount>0|sort -sum user| fields - count percent ucount
0 Karma
Reply
Solved! Jump to solution

sjbriggs
Path Finder
‎10-15-2020 08:01 AM

I'm struggling to adapt this solution to my problem but I feel like it's the closest to what I'm looking for.

I'm simply trying to get the top 10 src_ips in bytes of web usage, then the top 10 sites each of those src_ips goes to.

My current solution is close but I can't seem to get to it just listing the top 10 sites for each IP, it seems to be doing the top sites overall and then spreading them over the src ips.

index=proxy bytes>0
| fields src domain bytes
|stats sum(bytes) AS totalbytes  by domain,src
|sort -totalbytes  | head 50
|stats list(domain) as Domain, list(totalbytes) AS Total BY  src
| sort -Total

I had to do the "head 50"  because when I did head 10, i was only getting the top 10 domains in terms of bytes transferred and that was usually over just 3 or 4 IPs.  By doing head 50, i was getting more domains to spread over more IPs but still not exactly what I wanted which would be 10 IPs and the top 10 sites for each IP.

0 Karma
Reply
Solved! Jump to solution

splunklearner12
Path Finder
‎06-19-2019 03:32 AM

This worked perfectly - I didn't know the streamstats command and had to step through your solution to see how it works, very useful thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...