- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Find top 20 client IPs that generate the most erro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have only been using Splunk for a few days and couldn't find an answer to this question.
I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).
I'm able to get a list of all client IPs right now
index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500)
| stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip
| sort -"Total Errors"
This creates a table like so:
clientip | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count
142.182.28 | 20 | 13 | 5 | 1 | 1 | 0
I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're very close! The thing you're missing is that the sort command can take a number to give the top N.
So all you have to do is change your line:
| sort - "Total Errors"
to:
| sort 20 - "Total Errors"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're very close! The thing you're missing is that the sort command can take a number to give the top N.
So all you have to do is change your line:
| sort - "Total Errors"
to:
| sort 20 - "Total Errors"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I was not aware sort could take that parameter and this worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about ... | sort - "Total Errors" | top limit=20 "Total Errors" ?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Except that using top would eliminate the all of the other fields, "clientip", and the "### Count"
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
