Hello all,
just wondering if it is possible and how to do the following search?
Got a field with URLs ( for example: /v0.1/first/second/third?= ) and a field with IPs that have hit each URL.
ex:
"URL /v0.1/first/second/third=12 IP: 10.10.10.10 "
"URL /v0.1/first/second/third=123 IP: 11.11.11.11 "
"URL /v0.1/first/second/third=1234 IP: 12.12.12.12"
"URL /v0.1/first/second/123 IP: 13.13.13.13 "
"URL /v0.1/first/1234 IP: 13.13.13.13"
How should I make my search in order to:
match and count the number of hits per IP against each URL (the tricky part: by parsing and counting the URLs in total /v0.1/first/ without the rest of the URL) to get total count of hits per all URLs, per minute, per hour and per IP)
It's not definitely all of this to be in one search ( one for total counts, one for per minute etc )
so far I've come with:
source="....." | stats dc(URL) as count by URL,IP | sort -count
and it shows me a field with URLs, IP, and count of URL<->IP hits
yep.. I know.. splunk noob here
Any ideas will be much appreciated 🙂
... View more