I have these pattern in logs and I want to search burst of requests coming from one IP address
For example:
line: 10.196.. - - [06/Mar/2019:09:28:41 +0000] "GET /info/moin_static155a/common/ie7/ie7-overflow.js HTTP/1.1" 404 17
I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.
You can search directly like this:
index="your index" "10.196.x.x"
index=x IP=10.196.xx.xx | table *
Where IP is column name. That should work unless I'm missing something.
If you have the IP address as a field in the events, you could search it with fieldname_of_ip="10.196..."
Or you shall extract the IP address from the events using rex
and search with it
Or you can search directly in the events with index="your index" TERM(10.196...)
I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.
@varshna,
You can count the events per IP and compare it with previous counts and see if there is a sudden increase
For eg. index=your_index earliest=-2h |bucket span=1h _time|stats count by IP,_time
Similarly for 5xx and 4xxx