In the end, I ended us using these:
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count
and this
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count
with GREAT results that led me to some fun web mayhem that was happening.
Thanks a lot to all involved 🙂
... View more
This (http://splunk-base.splunk.com/answers/6015/display-field-uniques-in-search) seems related but isn't quite the same since I need to rank by uniqueness...
... View more
It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc.
E.g. 10.10.10.10 only used GET, while 11.11.11.11 used GET, POST, PUT, etc on my webserver. You can see where I am going with this.
So, what kinda query would do it?
... View more
Why can't I do field extraction from a previously built eventtype? I can limit extraction of sourcetype, but not to eventtype?
I feel like event types and custom field extraction are marriage made in heaven, but somehow splunk UI does not let me do achieve it...
I am sure there is some kinda hack in the conf files to do it... can anybody enlighten me?
... View more