Splunk Search

List of top client IP's each with their most common user agent

soundchaos
Path Finder

I am trying to find a search command that will get me a list of my top 20 client ip addresses (c_ip) along with each given ip's top 1 user agent (cs_User_Agent_).

In laymans code: ... | top 20 c_ip each with top cs_User_Agent_

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_

View solution in original post

somesoni2
Revered Legend

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_

somesoni2
Revered Legend

I sure I got your requirement, but try removing the portion of search after "|sort -count" (streamstats). That will list all user agents associated with respective c_ip.

0 Karma

soundchaos
Path Finder

Thank you! This is beautiful. Any ideas on how I might also compare each of these top IP's and show a readable list of how many / which user agents are associated, rather than just the single most common one?

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...