Splunk Search

Splunk search command- How to get table?

dj56
Explorer

Hello,

Assuming i have numbers, let's say 1-2-3-4-5-6. And each of those represent

Ip adress number of request method
1.1.1.2 1 get
1.1.1.3 1 get
1.1.1.4 2 get
1.1.1.5 4 get
1.1.1.6 4 get
1.1.1.7 5 get
1.1.1.8 7 get

 

What's could be the search to get following table

 

number of requests number of IPs that make 'x' requests
1 2 (meaning to client has made 1 requests)
2 1
3 0
4 2
5 1
6 0
7 1
8 0
9 0

 

Thanks

Labels (3)
0 Karma
1 Solution

FrankVl
Ultra Champion

Just add something like:
| stats count as clientcount by count

View solution in original post

dj56
Explorer

Hy 

I took a picture to illustrate a bit what I would like to do.

 

1..jpg

 

Basically I want to do this :

how many client have made 1 requests ?

how many client have made 2 requests ?

how many client have made 3 requests ?

... so on and so forth ...

 

 Take the data in the `count` column and the `clientip` column and sort them with a search so as to answer my questions above.

 

The final table should look something like this:

 

nb_requests Total_client
1 7
2 2
4 1
7 1
0 Karma

FrankVl
Ultra Champion

Just add something like:
| stats count as clientcount by count

dj56
Explorer

Hello boss,

Your tips helped out.

very glad now 🙂

Thank you for the help.

0 Karma

gcusello
Esteemed Legend

Hi @dj56,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

gcusello
Esteemed Legend

Hi @dj56,

did you tried my solution adapting it to your need?

Ciao.

Giuseppe

dj56
Explorer

Oh sorry

Yes i tried but i didn't get what i want. Probably because i don't have i field called "number_of_requests" as that digit result from  a search count.

Thank you for your help.

0 Karma

gcusello
Esteemed Legend

Hi @dj56,

tell me if it's all clear for you and please accept one answer for the other people of Communty.

otherwise, please share your search to help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
Esteemed Legend

Hi @dj56,

you can use stats dc to find the number of distinct occerrences for each number of requests.

The main problem is when there isn't any occurrences, so you have to define the max number of occurrences to display.

So you have to define the maxnumber of occurrences, fine in this sample:

index=_internal | head 100
| stats dc(source) AS dc BY linecount
| append [ | makeresults count=5 | streamstats count AS linecount | eval dc=0 | fields - _time ]
| stats sum(dc) AS total BY linecount

 in your case, if the max number of requests is 10, you could have:

<your_search>
| stats dc(ip) AS ip_count BY number_of_requests
| append [ | makeresults count=5 | streamstats count AS number_of_requests | eval ip_count=0 | fields - _time ]
| stats sum(ip_count) AS total BY number_of_requests 

Ciao.

Giuseppe

johnhuang
Motivator

You need to run stats to count the number of distinct ip address against the "number of requests". Let's assume your fieldnames are "ip address" and "method":

<base_search>
| stats count as "number of request" by "ip address" method
| stats dc("ip address") AS "number of IPs that make requests" BY "number of request" method

Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...