Having trouble creating a search that will determine if any single unique IP hits a defined URL 5 or more times within a 30 minute time frame. I've been trying something like this...
index=*index* sourcetype=*sourcetype* URL="*uriPath*"
| stats dc(*uriPath*) as URL by *srcIP*
| where URL>5
If it is a single uriPath you are looking at, you can do this:
index="<index>" sourcetype="<sourcetype>" URL="<uriPath>" | stats count by srcIP | search count>5
@sbhuie try the following
index=<index> sourcetype=<sourcetype> URL="<uriPath>"
| bin _time span=30min
| stats dc(URL) as URL by _time srcIP
| where URL>5
| xyseries _time srcIP URL
Following is run anywhere search example based on Splunk's _internal index
index=_internal sourcetype=splunkd_ui_access
| bin _time span=30min
| stats dc(uri) as Hit by _time clientip
| search Hit>5
| xyseries _time clientip Hit