How to get top ip address in access_log ?

bumbumndb · ‎07-25-2012

My data same :

Jul 24 19:49:59 mydomain.com httpd[9058]: [error] [client 10.254.53.13] Directory index forbidden by Options directive: /var/www/html/

Jul 24 19:49:59 mydomain.com httpd[9044]: [error] [client 10.254.53.14] Directory index forbidden by Options directive: /var/www/html/

Jul 24 19:49:59 mydomain.com httpd[9056]: [error] [client 10.254.53.15] Directory index forbidden by Options directive: /var/www/html/

How I can get IP [ 10.245.53.13 ] and get number of Ip address on column
Like :
ip_list count
10.254.53.13 123
10.254.53.14 10
10.254.53.15 5

Ayn · ‎07-25-2012

Do you have the IP number extracted as a field? If you do, and we'll say it's called ip, it's as easy as

... | top ip

bumbumndb · ‎07-25-2012

Thanks your help . I got it

Ayn · ‎07-25-2012

Either use the interactive field extractor (click on the arrow by the events, choose "Extract fields..."), alternatively you could add an extraction as part of your search:

... | rex "\[client (?<ip>.+?)\]" | top ip

bumbumndb · ‎07-25-2012

I don't know how to extract IP address to field ? Can help me figure out ? Thanks

How to get top ip address in access_log ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!