Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you use the timechart command to retrie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I try to get from iis logs top source IP by requests with the number of requests in every 5 seconds.
If I just try to find top IP in span - it works well. f.e.:
- sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart mode(c_ip) span=5sec
also search to fint count is works well:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart max(c_ip) span=5sec
But if I try to use both - search output nothing. why?
sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart mode(c_ip), max(c_ip) span=5sec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's talk about mode(): is gives you the most frequent field however it does not gives you the count used to extract that values. To obtain that value is a bit of a pain.
Additionally your search
sourcetype="ms:iis:auto" cs_host="www.example.com" | timechart max(c_ip) span=5sec
Leaves me a bit puzzled because it should give you the max value of the C_ip field; it does not give you the count. Are you sure is it working correctly?
The best solution i can advise is to use this method (https://answers.splunk.com/answers/99221/counting-how-often-the-mode-value-occurs-in-a-result-set.ht...) to extract the count of the mode(); applied to your fields it should become:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| bin _time span=5s
| eventstats mode(C_ip) as mostfrequent by _time `
| eval isMode=if(C_ip=mostfrequent,1,0)
| timechart span=5s mode(C_ip) as mode, sum(isMode) as hits
Hope this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's talk about mode(): is gives you the most frequent field however it does not gives you the count used to extract that values. To obtain that value is a bit of a pain.
Additionally your search
sourcetype="ms:iis:auto" cs_host="www.example.com" | timechart max(c_ip) span=5sec
Leaves me a bit puzzled because it should give you the max value of the C_ip field; it does not give you the count. Are you sure is it working correctly?
The best solution i can advise is to use this method (https://answers.splunk.com/answers/99221/counting-how-often-the-mode-value-occurs-in-a-result-set.ht...) to extract the count of the mode(); applied to your fields it should become:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| bin _time span=5s
| eventstats mode(C_ip) as mostfrequent by _time `
| eval isMode=if(C_ip=mostfrequent,1,0)
| timechart span=5s mode(C_ip) as mode, sum(isMode) as hits
Hope this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thx a lot!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
