How to search top 5 IPs with highest distinct coun...

niboucher · ‎07-31-2014

Hello,

In each line of the logs ,there is an email, an IP address and a timestamp.

I'd like to calculate for each day the top 1 (or top 5 or top 10) IPs which have the biggest number of distinct emails.

I'm using this

| bin span=1d _time
| stats dc(email) by ip,_time

but this doesn't do the trick since it prints a line for each IP and each day and I don't know to get only the top 5 dc(email) per IP

I'd like the result to look like this

_time        dc(email)    ip

2014-07-28   50           10.1.1.1
             30           1.1.1.2
             20           1.1.1.3
             10           1.1.1.4
             10           1.1.1.4
2014-07-29   120          10.9.1.1
             85           25.1.1.2
             45           34.1.1.3
             35           26.1.1.4
             15           42.1.1.4

Do you guys know how to do this?

somesoni2 · ‎07-31-2014

Another way of achieving the same

your base search | bin span=1d _time | stats dc(email) as dc by ip,_time | sort _time,dc | streamstats count by _time | where count < 6

somesoni2 · ‎08-01-2014

It indeed should be <6. Thanks for pointing it out. I guess I'm in mood for early Friday..

martin_mueller · ‎08-01-2014

Wouldn't that be where count < 6?

aelliott · ‎07-31-2014

Try something like this:

|bucket _time span=1d | eventstats dc(email) by ip | top limit=5 dc(email),ip by _time |sort -_time, -dc(email)

aelliott · ‎07-31-2014

Updated the answer, should be good now.

How to search top 5 IPs with highest distinct count emails per day?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!