It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc.
E.g. 10.10.10.10 only used GET, while 11.11.11.11 used GET, POST, PUT, etc on my webserver. You can see where I am going with this.
So, what kinda query would do it?
In the end, I ended us using these:
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count
and this
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count
with GREAT results that led me to some fun web mayhem that was happening.
Thanks a lot to all involved 🙂
 
		
		
		
		
		
	
			
		
		
			
					
		In addition to what lguinn posted, this
sourcetype="access_combined" | stats distinct_count(method) as dcm by clientip | sort -dcm
is fairly explicit.
Thanks a lot for this!!
 
		
		
		
		
		
	
			
		
		
			
					
		Well, probably not more efficient, but more clearly corresponding to what you're asking for.
 
					
				
		
Ah, that's a more efficient solution.
 
					
				
		
Here are two examples of what you asked for --
Most number of methods used, not counting duplicates
sourcetype="access_combined" | dedup clientip, method  | top clientip
Most number of unique pages visited
sourcetype="access_combined" | dedup clientip, uri  | top clientip
But here are variations that might be more useful --
sourcetype="access_combined" | stats count by clientip, method | sort -count
sourcetype="access_combined" | stats count by clientip, uri | sort -count
Finally, take it to the next level by clicking the "Build Report" button and making a graph or chart of the results!
Thanks a lot for this as well!!
 
		
		
		
		
		
	
			
		
		
			
					
		To really figure out what he asked, the last couple should actually look like: sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count
This (http://splunk-base.splunk.com/answers/6015/display-field-uniques-in-search) seems related but isn't quite the same since I need to rank by uniqueness...
