We keep getting DDoS attacks that target our web applications.
I've setup Splunk and have all of our servers forwarding logs via syslog-ng which works like a charm.
I also setup an extracted field called "ip" that extracts the ip address from the apache logs which also works great.
I can't seem to figure how do I create a timeline chart with the count of each hit/event so I can determine who is at the top of the list.
When I "generate report.." that works fine, but how do I use my custom field as a search query? I've used:
and can't get any results.
... View more