Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart with TIME, IPADDRESS and count

yatyat
Observer
‎02-03-2022 01:16 AM

Hi All,

I have below splunk data:

"new request: 127.0.0.1;url=login.jsp"

which contains the IPADDRESS (EX:127.0.0.1) and the URL (login.jsp)

 

I want to show a table which displays Number of requests made to (login.jsp) from every IPADDRESS on minute basis like below :

 

TimeStamp(Minutes)  IPADDRESS  COUNT

2022-01-13 22:03:00 ipaddress1 count1

2022-01-13 22:03:00 ipaddress2 count2

2022-01-13 22:03:00 ipaddress3 count3

2022-01-13 22:04:00 ipaddress1 count1

2022-01-13 22:04:00 ipaddress2 count2

 

which displays the count in descending order.

Please advise how to achieve this ?

 

Thanks

2022-01-13 22:04:00 ipaddress3 count3

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-03-2022 01:30 AM

It's not obvious whether you have problem with extraction or doing the stats.

But assuming your data is not parsed at all, you need something like that

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| timechart span=1m count by IPADDR
0 Karma
Reply

yatyat
Observer
‎02-03-2022 01:36 AM

It displays the data in this manner. It is difficult to get the data sorted by count manually.

samplesample

 

 

I need to get the highest number of requests made by an IPADDRESS in a minute. Can you please help?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-03-2022 03:20 AM

Ahh, right. The timechart indeed does many separate series. You can do it a bit differently.

<your index/sourcetype selection> login.jsp
| rex "new\srequest:\s(?<IPADDR>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| bin _time span=1m
| stats count by IPADDR _time
| sort - count

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...