group ip by count

janfabo · ‎09-06-2012

Hello, I'm trying to write search, that will show me denied ip's sorted by it's count, like this:
host="1.1.1.1" denied | stats sum(count) as count by src_ip | graph, but this only shows me number of matching events and no stats. I'd like to visualize result in form of either table or chart. Could you please advise me how to do that? Thanx in advance.

gkanapathy · ‎09-06-2012

First of all, src_ip must actually be a field that exists in the data and is extracted by Splunk.

If it is, then

... "denied" | top src_ip

or

... "denied" | stats count by src_ip | sort - count

janfabo · ‎09-07-2012

Great, it works! The field didn't exists, after adding extraction rule everything works. thanks.

janfabo · ‎09-06-2012

well, this shows 0 results even if there are 10 matching events (1). See the picture here. When I click 2 at the picture there is 10 log records. Maybe I have something misconfigured...

jonuwz · ‎09-06-2012

Can you post a sample of the data?

jonuwz · ‎09-06-2012

Something like this :

host="20.20.20.5" denied | chart count by src_ip

?

janfabo · ‎09-06-2012

well I did it through CLI: # ./splunk search "host=\"20.20.20.5\" denied" | awk '{ print $14 }' | sort | uniq -c , but how to do it through webinterface?

group ip by count

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!