Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search to sum if IP is observed in different days

fatsug
Contributor
‎07-21-2022 03:38 AM

Hello community

I’m trying to figure out how to perform a search which considers events on different days.

The idea is to search for an events by IP address and what I’d like to achieve is to check if the same IP (the same type of event) is observed in more than one specified timeframe (day/week/month). I started out with the following:

<base-search> earliest="-7d@d" latest="@d"
| stats count by ip date

And thought I could compare if IP address occurs on more than one date. Though I suppose I’d have to loop through all the results for each IP and I could not get the SPL to work at all.

Instead I figured that I could use something like

| bin span=1d _time
| stats count as c_ip by _time

I figured I could compare content of bins somehow, though the bins are still just by “date”.

I figured I’d be able to combine this with something like “eval” to get IP addresses which has events on more than one date in rage, preferably with number of events per date/bin and a total. Thi smay also need some "fillnull" or something.

IP2022-06-292022-07-012022-07-022022-07-12Sum
<ip1>658221
<ip2>-5-49

Though I am not having any success.

I hope I managed to articulate my idea here. If so, is what I’m aiming fore possible? Any suggestions/feedback is greatly appreciated, close enough would be a lot better than nothing 🙂

Best regards

// G

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:44 AM 
| stats count by ip date
| eventstats count as days by ip
| where days > 1
| xyseries ip date count
| addtotals col=f row=t

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:21 AM 
| stats count by ip date
| xyseries ip date count
| addtotals col=f row=t
Reply
Solved! Jump to solution

fatsug
Contributor
‎07-21-2022 04:35 AM

@ITWhispererGreat start, thank you!

So, this gives me the table I was after. However, it does not filter out only IP adresses which has events on more than one date. Taking the same example again and expanding

IP2022-06-292022-07-012022-07-022022-07-12Sum
<ip1>658221
<ip2>-5-49
<ip3>-23--23

In this example, <ip3> should not be included in the results as there are only events on a single date. I'm only looking for IPs with events on at least two different dates.

Best regards

// G

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 04:44 AM 
| stats count by ip date
| eventstats count as days by ip
| where days > 1
| xyseries ip date count
| addtotals col=f row=t
Reply
Solved! Jump to solution

fatsug
Contributor
‎07-21-2022 04:48 AM

Nice! Big thank you, exactly what I needed

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...