Splunk Search
Highlighted

How to search for sources IPs with the highest number of distinct/unique HTTP methods?

New Member

It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc.

E.g. 10.10.10.10 only used GET, while 11.11.11.11 used GET, POST, PUT, etc on my webserver. You can see where I am going with this.

So, what kinda query would do it?

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

New Member

This (http://splunk-base.splunk.com/answers/6015/display-field-uniques-in-search) seems related but isn't quite the same since I need to rank by uniqueness...

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

Legend

Here are two examples of what you asked for --

Most number of methods used, not counting duplicates

sourcetype="access_combined" | dedup clientip, method  | top clientip

Most number of unique pages visited

sourcetype="access_combined" | dedup clientip, uri  | top clientip

But here are variations that might be more useful --

sourcetype="access_combined" | stats count by clientip, method | sort -count

sourcetype="access_combined" | stats count by clientip, uri | sort -count

Finally, take it to the next level by clicking the "Build Report" button and making a graph or chart of the results!

Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

Splunk Employee
Splunk Employee

To really figure out what he asked, the last couple should actually look like: sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

New Member

Thanks a lot for this as well!!

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

Splunk Employee
Splunk Employee

In addition to what lguinn posted, this

sourcetype="access_combined" | stats distinct_count(method) as dcm by clientip | sort -dcm

is fairly explicit.

Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

Legend

Ah, that's a more efficient solution.

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

Splunk Employee
Splunk Employee

Well, probably not more efficient, but more clearly corresponding to what you're asking for.

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

New Member

Thanks a lot for this!!

0 Karma
Highlighted

Re: How to search for sources IPs with the highest number of distinct/unique HTTP methods?

New Member

In the end, I ended us using these:

sourcetype="accesscombinedwcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count

and this

sourcetype="accesscombinedwcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count

with GREAT results that led me to some fun web mayhem that was happening.

Thanks a lot to all involved 🙂

0 Karma