Splunk Search
Highlighted

How to search for any source IP addresses that have more than one result and sourcetype within a 5 minute period?

New Member

I'm trying to run a search on search results. The first search would bring back various logs and sourcetypes. I want to take the finished search, look at any source IP addresses that have more than 1 result and more than 1 sourcetype within a 5 minute time period. Any idea's on how I might be able to do this?

0 Karma
Highlighted

Re: How to search for any source IP addresses that have more than one result and sourcetype within a 5 minute period?

Super Champion

Without seeing your search results, these are all best guess...

... | bin span=5m _time |  stats count by source_ip sourcetype  _time | where count > 1

You can test this with internal logs easily :

index=_internal | stats count by sourcetype source _time | bin span=5m _time | where count > 1
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.