Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

List of top client IP's each with their most common user agent

soundchaos
Path Finder
‎06-05-2014 11:18 AM

I am trying to find a search command that will get me a list of my top 20 client ip addresses (c_ip) along with each given ip's top 1 user agent (cs_User_Agent_).

In laymans code: ... | top 20 c_ip each with top cs_User_Agent_

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-05-2014 01:47 PM

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-05-2014 01:47 PM

Try this

index=yourIndex sourcetype=yourSourcetype [search index=yourIndex sourcetype=yourSourcetype| top 20 c_ip | table c_ip]| stats count by c_ip,cs_User_Agent_ | sort - count | streamstats count as sno by c_ip | where sno=1 | table c_ip,cs_User_Agent_
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-06-2014 01:09 PM

I sure I got your requirement, but try removing the portion of search after "|sort -count" (streamstats). That will list all user agents associated with respective c_ip.

0 Karma
Reply
Solved! Jump to solution

soundchaos
Path Finder
‎06-06-2014 10:09 AM

Thank you! This is beautiful. Any ideas on how I might also compare each of these top IP's and show a readable list of how many / which user agents are associated, rather than just the single most common one?

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...