Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unique IP count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unique IP count
It seems like something that has been answered before but i have been unable to find the answer.
Is it possible to run a query that provides unique IP source addresses when searching for a particular string?
I've tried this however i'm not having any success:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats dc(src_ip)
Would be particularly helpful if a portion of the IP (Host, Network) could be queried.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jdhavo,
The stats command dc gives the distinct count as shown here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats
If you want the list of unique IP addresses you can use the values stats command. And if you want you can have both :
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) as src_ip dc(src_ip) as distinctCountIP
Note that values puts everything in the same block so you can use mvexpand command to split the results out into multiple lines.
In either case make sure the src_ip field exists or you won't be able to run anything 🙂
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The query you have right now simply returns the number of unique IP addresses. If you want the actual list of unique addresses, try this:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip)
Or:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats count by src_ip
To also get the number of events for each unique address.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your Splunk data contains IP address in them?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
