I'm trying to write a search/report that shows the number of times an IP address has hit a given URL over consecutive days.
The output I'm looking for would look something like this:
IP addr 16-May 15-May 14-May 13-May 12-May 11-May
----------------------------------------------------------
192.168.1.1 25 29 15 74 39 83
192.168.1.2 25 29 15 74 39 83
192.168.1.3 25 29 15 74 39 83
192.168.1.4 25 29 15 74 39 83
192.168.1.5 25 29 15 74 39 83
My single-day version of this search is like this:
sourcetype=weblogs uri="/search/*" | stats count by srcip
But I'm at a loss when it comes to a) showing the rest of the days and b) making sure those numbers aren't zero (If one of counts would be zero, I don't want that srcip in the report at all)
Is this possible in Splunk?
Thanks,
Scott
Are you date values in a separate field? If they are you could try this
sourcetype=weblogs uri="/search/*" | chart count over srcip by datefield | addtotals | where totals>0
If the date values are from the _time field, try this
sourcetype=weblogs uri="/search/*" | bin span=1d _time as datefield | eval datefield = strftime(datefield, "%d-%b") | chart count over srcip by datefield | addtotals | where totals>0
Are you date values in a separate field? If they are you could try this
sourcetype=weblogs uri="/search/*" | chart count over srcip by datefield | addtotals | where totals>0
If the date values are from the _time field, try this
sourcetype=weblogs uri="/search/*" | bin span=1d _time as datefield | eval datefield = strftime(datefield, "%d-%b") | chart count over srcip by datefield | addtotals | where totals>0
Thank you for your help.
This is really close. The search you've provided will include IP addresses that have zeroes in particular days.
If I limit the Time Period to a specific date range (May 2nd through May 6th for my next example) I can make it work by using the day-of-the-week names as column headers and putting those into the where clause:
sourcetype=weblogs uri="/search/*" | bin span=1d _time as datefield | eval datefield = strftime(datefield, "%a") | chart count over srcip by datefield | where Mon>0 AND Tue>0 AND Wed>0 AND Thu>0 AND Fri>0
Thanks for your help!