Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you use the timechart command to retrieve t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I try to get from iis logs top source IP by requests with the number of requests in every 5 seconds.
If I just try to find top IP in span - it works well. f.e.:
- sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart mode(c_ip) span=5sec
also search to fint count is works well:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart max(c_ip) span=5sec
But if I try to use both - search output nothing. why?
sourcetype="ms:iis:auto" cs_host="www.example.com"
| timechart mode(c_ip), max(c_ip) span=5sec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's talk about mode(): is gives you the most frequent field however it does not gives you the count used to extract that values. To obtain that value is a bit of a pain.
Additionally your search
sourcetype="ms:iis:auto" cs_host="www.example.com" | timechart max(c_ip) span=5sec
Leaves me a bit puzzled because it should give you the max value of the C_ip field; it does not give you the count. Are you sure is it working correctly?
The best solution i can advise is to use this method (https://answers.splunk.com/answers/99221/counting-how-often-the-mode-value-occurs-in-a-result-set.ht...) to extract the count of the mode(); applied to your fields it should become:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| bin _time span=5s
| eventstats mode(C_ip) as mostfrequent by _time `
| eval isMode=if(C_ip=mostfrequent,1,0)
| timechart span=5s mode(C_ip) as mode, sum(isMode) as hits
Hope this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, let's talk about mode(): is gives you the most frequent field however it does not gives you the count used to extract that values. To obtain that value is a bit of a pain.
Additionally your search
sourcetype="ms:iis:auto" cs_host="www.example.com" | timechart max(c_ip) span=5sec
Leaves me a bit puzzled because it should give you the max value of the C_ip field; it does not give you the count. Are you sure is it working correctly?
The best solution i can advise is to use this method (https://answers.splunk.com/answers/99221/counting-how-often-the-mode-value-occurs-in-a-result-set.ht...) to extract the count of the mode(); applied to your fields it should become:
sourcetype="ms:iis:auto" cs_host="www.example.com"
| bin _time span=5s
| eventstats mode(C_ip) as mostfrequent by _time `
| eval isMode=if(C_ip=mostfrequent,1,0)
| timechart span=5s mode(C_ip) as mode, sum(isMode) as hits
Hope this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thx a lot!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
