Solved: List of top client IP's each with their most commo...

soundchaos · ‎06-05-2014

I am trying to find a search command that will get me a list of my top 20 client ip addresses (c_ip) along with each given ip's top 1 user agent (cs_User_Agent_).

In laymans code: ... | top 20 c_ip each with top cs_User_Agent_

somesoni2 · ‎06-05-2014

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_

View solution in original post

somesoni2 · ‎06-05-2014

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_

somesoni2 · ‎06-06-2014

I sure I got your requirement, but try removing the portion of search after "|sort -count" (streamstats). That will list all user agents associated with respective c_ip.

soundchaos · ‎06-06-2014

Thank you! This is beautiful. Any ideas on how I might also compare each of these top IP's and show a readable list of how many / which user agents are associated, rather than just the single most common one?

List of top client IP's each with their most common user agent

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...