How to create a search to find the same IP hitting...

sbhuie · ‎06-21-2019

Having trouble creating a search that will determine if any single unique IP hits a defined URL 5 or more times within a 30 minute time frame. I've been trying something like this...

index=*index* sourcetype=*sourcetype* URL="*uriPath*"
| stats dc(*uriPath*) as URL by *srcIP*
| where URL>5

spayneort · ‎06-24-2019

If it is a single uriPath you are looking at, you can do this:

index="<index>" sourcetype="<sourcetype>" URL="<uriPath>" | stats count by srcIP | search count>5

niketn · ‎06-23-2019

@sbhuie try the following

 index=<index> sourcetype=<sourcetype> URL="<uriPath>"
 | bin _time span=30min
 | stats dc(URL) as URL by _time srcIP
 | where URL>5
 | xyseries _time srcIP URL

Following is run anywhere search example based on Splunk's _internal index

index=_internal sourcetype=splunkd_ui_access
| bin _time span=30min
| stats dc(uri) as Hit by _time  clientip
| search Hit>5
| xyseries _time clientip Hit

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to create a search to find the same IP hitting specific URL (x number of times)?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation