Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the basic search for detecting Multiple HTTP errors from unique IP?

mohsplunking
Path Finder
‎09-13-2023 04:10 PM

Hello Splunkers,

Can someone help me with a query to detect multiple http errors from single IP , basically when the status code is in 400s/500s.

Thank you,

regards,

Moh

Labels (1)
Labels
Tags (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-13-2023 04:16 PM

Basic query is something like this, but will depend on your fields

index=your_source_index status>=400 status<600
| stats count by ip status

You will then get a table of ip+status+count

you can do whatever you want to do with that - what's your goal?

 

0 Karma
Reply

mohsplunking
Path Finder
‎09-14-2023 01:02 AM

Thanks for your response, the goal is to list the IP's that is causing maximum http errors. Lets say where errors are >100.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 01:26 AM

Hi @mohsplunking,

if you need the total count of errors, the solution from @bowesmana is perfect.

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply

mohsplunking
Path Finder
‎09-14-2023 01:35 AM

Hello gcusello,

Thanks for your inputs, However, like  I said the use case is I'm looking for IP that is causing maximum number of http errors(400s,500s) , lets say I'm trying to find a single IP that is causing  over 100 http errors . I think in the query we will have to use eval&case functions too.

Please let me know if you need further clarifications on the above.

Moh.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 11:02 PM

@mohsplunking ,

if you ne only an alert, as I said, the solution from @bowesmana is perferct and you don't need any additional command.

the eval/case  could be useful if you need to display some additional information e.g. a level of alert quantity.

Ciao.

Giuseppe

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2023 05:12 PM

@mohsplunking 

index=your_source_index status>=400 status<600
| stats count by ip
| where count>100

or you can do 

index=your_source_index status>=400 status<600
| top ip 
| where count > 100

but I would prefer stats over top

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
li.common.scroll-to.top