Hi everyone,
I'm not sure if I have chosen the title correctly, but I have tried to make it as generic as possible, as it may be useful in other situations.
I want to know how many unique IPs (c_ip) have accessed in the last day a IIS web server grouped by result (sc_status) (error or success).
I can get the number of unique IPs:
sourcetype=iis earliest=-1d@d latest=@d | stats dc(c_ip) by sc_status
Result:
sc_status dc(c_ip)
200 4285
401 29
404 33
I can also get the number of requests summed up by result:
sourcetype=iis earliest=-1d@d latest=@d | bin span=1d _time | stats count as request by _time, sc_status
And get this:
_time sc_status request
2015-08-30 00:00:00 200 101335
2015-08-30 00:00:00 401 31
2015-08-30 00:00:00 404 1034
What I would like is to group both results, but I don't know how. Just this:
_time sc_status request Unique IPs
2015-08-30 00:00:00 200 101335 4285
2015-08-30 00:00:00 401 31 29
2015-08-30 00:00:00 404 1034 33
Is the title right? 🙂
Thanks in advance!
You are almost there already. try this
sourcetype=iis earliest=-1d@d latest=@d | bin span=1d _time | stats count as request dc(c_ip) as "Unique IPs" by _time, sc_status
You are almost there already. try this
sourcetype=iis earliest=-1d@d latest=@d | bin span=1d _time | stats count as request dc(c_ip) as "Unique IPs" by _time, sc_status
Awsome, somesoni2. It couldn't have been easier 🙂 I was breaking my head trying to find the way to join both groupings, adding semicolons, pipes, not commas beacause I saw tht was used to separate fields, changing the order,... anything, but I never thought of the simplest solution: just join them with a space. I guess I'll have to find myself a guide for basic searches in Splunk 🙂
Thank you very much for the answer, somesoni2.