Splunk Search

How to generate a search of unique URI and all the client IP's hitting in a commas field and total count of the IP's hitting the URI?

krish899
New Member

Am in a process of creating a report, in which i have URI's from many different hosts hitting from multiple IP's .

Requirement : I would like to have report like this where IP's have a comma separation .

URI                                  Client IP                                              Total count 
-------------                        ----------------                                       --------------
URI/XYZ/service/ENDPOINT      10.256.85.164,10.528.65.313,10.58,65.198                      2500

But my search results this:

sourcetype=xyz index=urx host=jjk*  | extract endpoint-extractions | stats count values(clientip) as ClientIP by uri | sort  by uri

uri                              count                ClientIP
//Services/Service?MMJD          53                  10.166.148.11
                                                           10.166.148.15
                                                           10.166.149.13
/Services/Orders                    22                   10.178.5.152
                                                           10.178.5.153

I would like to get 30 days report for 2000 plus services from different domains. Can use tstats to have the results quickly.

Please help me with search to get the result for 30 days. Highly appreciate your help. Thanks in advance.

0 Karma
1 Solution

woodcock
Esteemed Legend

Just add this:

| nomv ClientIP | rex field=ClientIP mode=sed "s/s\+/,/g"

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Woodcock's should work. This would also work.

| eval ClientIP=mvjoin(ClientIP,",")

Hmmm. Regarding woodcock's code, rex is acting like some other kind of whitespace is in between the IP addresses after nomv, as opposed to a plain vanilla space.

| makeresults | eval ClientIP="10.166.148.11 10.166.148.15 10.166.149.13"  | makemv ClientIP | eval ClientIP1=ClientIP, ClientIP2=ClientIP, ClientIP3=ClientIP
| nomv ClientIP1 | rex field=ClientIP1 mode=sed "s/ /,/g"
| eval ClientIP2=mvjoin(ClientIP2,",")
| nomv ClientIP3 | rex field=ClientIP3 mode=sed "s/\s/,/g"
| table ClientIP ClientIP1 ClientIP2 ClientIP3


ClientIP =
10.166.148.11 
10.166.148.15 
10.166.149.13 

ClientIP1 = 10.166.148.11 10.166.148.15 10.166.149.13
ClientIP2 = 10.166.148.11,10.166.148.15,10.166.149.13  
ClientIP3 = 10.166.148.11,10.166.148.15,10.166.149.13 
0 Karma

woodcock
Esteemed Legend

Yes, I updated my answer to account for more general variety.

0 Karma

woodcock
Esteemed Legend

Just add this:

| nomv ClientIP | rex field=ClientIP mode=sed "s/s\+/,/g"
0 Karma

krish899
New Member

Thanks @woodcock .

Appreciate your help.

I used this command for my report :

basesearch | extract endpoints-extractions | stats count values(clientip) as All_ClientIP by uri | eval clientip=mvjoin(All_ClientIP,",") | fields - All_ClientIP

Now I'll prefer using | eval ClientIP=mvjoin(ClientIP,",") in my next reports .

Thanks.

0 Karma

woodcock
Esteemed Legend

You accepted the wrong answer then! Mine does work (maybe worth upvoting it) but you should UnAccept mine and Accept the answer by @DalJeanis because his is better.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...