Getting Data In

How to get top x-forwarded-for ip addess in apache access log ?

anaser9129
New Member

Hello,

My data same :

10.54.3.81 188.54.195.26, 10.5.81.2 - - [08/Jun/2014:13:16:08 +0000] "POST /index.php HTTP/1.1" 200 40 "" "Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; GT-S5300 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" BytesIn:3342 Bytes:596 Time:87556 Process:31989 Conn:+ Host:localhost

10.54.3.81 188.54.195.26, 10.5.81.2 - - [08/Jun/2014:13:16:08 +0000] "GET /sa-ar/%D8%A8%D9%84%D8%A7%D9%83-%D8%A8%D9%8A%D8%B1%D9%8A-q10-%D8%B3%D8%B9%D8%A9-16-%D8%AC%D9%8A%D8%AC%D8%A7%D8%A8%D8%A7%D9%8A%D8%AA-%D9%86%D8%B8%D8%A7%D9%85-%D8%A7%D9%84%D8%AA%D8%B4%D8%BA%D9%8A%D9%84-%D8%A8%D9%84%D8%A7%D9%83-%D8%A8%D9%8A%D8%B1%D9%8A-10-%D9%88%D8%A7%D9%8A-%D9%81%D8%A7%D9%8A-+-lte-%D8%A7%D9%84%D8%AC%D9%8A%D9%84-%D8%A7%D9%84%D8%B1%D8%A7%D8%A8%D8%B9-%D8%A3%D8%A8%D9%8A%D8%B6-%D8%B0%D9%87%D8%A8%D9%8A-6971438/i/ HTTP/1.1" 200 31265 "/sa-ar/%D8%B0%D9%87%D8%A8%D9%8A/%D9%85%D9%88%D8%A8%D8%A7%D9%8A%D9%84%D8%A7%D8%AA--bslash--%D8%AC%D9%88%D8%A7%D9%84%D8%A7%D8%AA-33/a-t/s/?seller=DOD_KSA%2Ctest-Shop&rpp=10&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=dod_sa_ar_a_080614_O&utm_content=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" BytesIn:4103 Bytes:31824 Time:950381 Process:31922 Conn:+ Host:localhost

10.54.3.81 66.249.65.252, 10.5.81.2 - - [08/Jun/2014:13:16:09 +0000] "GET /sa-ar/casio/s/ HTTP/1.1" 200 20351 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +/bot.html)" BytesIn:388 Bytes:21087 Time:794695 Process:31985 Conn:+ Host:localhost

How I can get number of Ip address on column
Like :
ip_list count
188.54.195.26 2
66.249.65.252 1

Thanks

Tags (1)
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Assuming you are using the directives in the default sourcetype of access_combined_wcookie and your ip address field is called clientip... you want this:

index=whatever sourcetype=whatever |top clientip|fields - percent

the "top" command will give you a percent column as well as a count column so you can remove it with 'fields'. you can adjust how many ip addresses show by adding limit= |top limit=20 clientip

If you want all your ip addresses you could just say |stats count by clientip|sort -count

You might want to take a look at this book available on Amazon (kindle version is $18.00) which will take you through a nice slow lesson on how to use the search language.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...