Stats function per IP over time

twistedsixty4 · ‎06-10-2013

hey all,
I'm trying to grab stats on firewall denied IPs per minute over a time frame (adjustable but standard at 15m). the idea is to get a simple table of min max avg stdev (of denies per ip) per minute i can successfully do it with a timechart function, but it lump IPs together into NULL and 'other' groups after the first 10 or so records which breaks the purpose. here is what i've got..

(index=cisco* OR index=f5 OR index=app) linecount="1" | search action="blocked" | bucket _time span=1m | stats min(count), max(count), avg(count), stdev(count) by _time

can anyone help?
thanks

carmackd · ‎06-10-2013

You could set 0 limit on series for timechart

limit
Syntax: limit=
Description: Specify a limit for series filtering; limit=0 means no filtering. By default, setting limit=N would filter the top N values based on the sum of each series.

but if you're aggregating over many, horizontal scrolling becomes an issue 🙂

Stats function per IP over time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

Stats function per IP over time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!