Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

group ip by count

janfabo
Explorer
‎09-06-2012 01:45 PM

Hello, I'm trying to write search, that will show me denied ip's sorted by it's count, like this:
host="1.1.1.1" denied | stats sum(count) as count by src_ip | graph, but this only shows me number of matching events and no stats. I'd like to visualize result in form of either table or chart. Could you please advise me how to do that? Thanx in advance.

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-06-2012 11:46 PM

First of all, src_ip must actually be a field that exists in the data and is extracted by Splunk.

If it is, then

... "denied" | top src_ip

or

... "denied" | stats count by src_ip | sort - count
Reply

janfabo
Explorer
‎09-07-2012 10:52 PM

Great, it works! The field didn't exists, after adding extraction rule everything works. thanks.

0 Karma
Reply

janfabo
Explorer
‎09-06-2012 11:24 PM

well, this shows 0 results even if there are 10 matching events (1). See the picture here. When I click 2 at the picture there is 10 log records. Maybe I have something misconfigured...

0 Karma
Reply

jonuwz
Influencer
‎09-06-2012 11:34 PM

Can you post a sample of the data?

0 Karma
Reply

jonuwz
Influencer
‎09-06-2012 02:59 PM

Something like this :

host="20.20.20.5" denied | chart count by src_ip

?

Reply

janfabo
Explorer
‎09-06-2012 02:00 PM

well I did it through CLI: # ./splunk search "host=\"20.20.20.5\" denied" | awk '{ print $14 }' | sort | uniq -c , but how to do it through webinterface?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...