Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart with TIME, IPADDRESS and count

yatyat
Observer
‎02-03-2022 01:16 AM

Hi All,

I have below splunk data:

"new request: 127.0.0.1;url=login.jsp"

which contains the IPADDRESS (EX:127.0.0.1) and the URL (login.jsp)

 

I want to show a table which displays Number of requests made to (login.jsp) from every IPADDRESS on minute basis like below :

 

TimeStamp(Minutes)  IPADDRESS  COUNT

2022-01-13 22:03:00 ipaddress1 count1

2022-01-13 22:03:00 ipaddress2 count2

2022-01-13 22:03:00 ipaddress3 count3

2022-01-13 22:04:00 ipaddress1 count1

2022-01-13 22:04:00 ipaddress2 count2

 

which displays the count in descending order.

Please advise how to achieve this ?

 

Thanks

2022-01-13 22:04:00 ipaddress3 count3

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-03-2022 01:30 AM

It's not obvious whether you have problem with extraction or doing the stats.

But assuming your data is not parsed at all, you need something like that

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| timechart span=1m count by IPADDR
0 Karma
Reply

yatyat
Observer
‎02-03-2022 01:36 AM

It displays the data in this manner. It is difficult to get the data sorted by count manually.

samplesample

 

 

I need to get the highest number of requests made by an IPADDRESS in a minute. Can you please help?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-03-2022 03:20 AM

Ahh, right. The timechart indeed does many separate series. You can do it a bit differently.

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| bin _time span=1m
| stats count by IPADDR _time
| sort - count

 

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...