Splunk Search

Find top 20 client IPs that generate the most errors and display individual error status counts for each client IP

Kaitrono
Engager

I have only been using Splunk for a few days and couldn't find an answer to this question.
I want to find the client IPs that are generating the most errors and display the count of each specific error as well. However, I want my search to be limited to 20 client IPs (the 20 that generate the most errors).
I'm able to get a list of all client IPs right now

index=blah tag=blah AND (status=302 OR status=304 OR status=403 OR status=404 OR status=500) 
| stats count(status) as "Total Errors" count(eval(status=302)) as "302 Count" count(eval(status=304)) as "304 Count" count(eval(status=403)) as "403 Count" count(eval(status=404)) as "404 Count" count(eval(status=500)) as "500 Count" by clientip 
| sort -"Total Errors"

This creates a table like so:

clientip   | Total Errors | 302 Count | 304 Count | 403 Count | 404 Count | 500 Count 
142.182.28 |      20      |    13     |     5     |     1     |     1     |     0     

I'm not showing all the results obviously, but the table lists data for every clientip and every time I try to limit the results, the search is messed up. I would appreciate any help with what I am doing wrong.

Tags (5)
1 Solution

acharlieh
Influencer

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line:

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"

View solution in original post

acharlieh
Influencer

You're very close! The thing you're missing is that the sort command can take a number to give the top N.

So all you have to do is change your line:

| sort - "Total Errors"

to:

| sort 20 - "Total Errors"

Kaitrono
Engager

Thank you! I was not aware sort could take that parameter and this worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How about ... | sort - "Total Errors" | top limit=20 "Total Errors" ?

---
If this reply helps you, Karma would be appreciated.
0 Karma

acharlieh
Influencer

Except that using top would eliminate the all of the other fields, "clientip", and the "### Count"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...