Splunk Search

How to achieve top 10 src_ip's along with top 10 urls for each src_ip?

jhamot23
Engager

I'm trying to run a query to figure out the top 10 src_ip's along with their top 10 urls visited. When I try the below query it's giving me every src_ip instead of just the top 10.

Any suggestions on how to limit the search for just the top 10 src_ip by top 10 url?

I've been running something like this:

index=firewall | stats count by src_ip, url
| sort 0 src_ip -count
| streamstats count as standings by src_ip
| where standings < 11
| eventstats sum(count) as total by category
| sort 0 -total src_ip -count

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall 
| stats count by src_ip, url
| sort 0 src_ip -count
| streamstats count as standings by src_ip
| where standings < 11
| eventstats sum(count) as total by src_ip
| sort 0 -total src_ip -count
| streamstats count(eval(standings=1)) as rank
| where rank < 11

View solution in original post

0 Karma

efavreau
Motivator

@jhamot23  Did you know there's a top command? (it defaults to top 10, but this is configurable if you want)
See if this gets you in the neighborhood:

 

index=firewall
| top src_ip BY url

 

###

If this reply helps you, an upvote would be appreciated.
0 Karma

jhamot23
Engager

Appreciate the insights. Yes I just started playing around with the top command, and this did help get me in the neighborhood but was looking for a more cleaner list of just top 10 src_ips by top 10 urls visited. Looks like the suggestion below got me the list I was looking for. Thank you! 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall 
| stats count by src_ip, url
| sort 0 src_ip -count
| streamstats count as standings by src_ip
| where standings < 11
| eventstats sum(count) as total by src_ip
| sort 0 -total src_ip -count
| streamstats count(eval(standings=1)) as rank
| where rank < 11
0 Karma

jhamot23
Engager

This is what I was looking for! Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...