Need to search all request based on IP address

varshna · ‎03-06-2019

I have these pattern in logs and I want to search burst of requests coming from one IP address

For example:

line: 10.196.. - - [06/Mar/2019:09:28:41 +0000] "GET /info/moin_static155a/common/ie7/ie7-overflow.js HTTP/1.1" 404 17

varshna · ‎03-07-2019

I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.

cvssravan · ‎03-06-2019

You can search directly like this:

index="your index" "10.196.x.x"

JPaule · ‎03-06-2019

index=x IP=10.196.xx.xx | table *

Where IP is column name. That should work unless I'm missing something.

renjith_nair · ‎03-06-2019

@varshna,

If you have the IP address as a field in the events, you could search it with fieldname_of_ip="10.196..."
Or you shall extract the IP address from the events using rex and search with it
Or you can search directly in the events with index="your index" TERM(10.196...)

Happy Splunking!

varshna · ‎03-10-2019

I am getting hit by different IPs at random times and their pattern is random. This is one of the example. Is there a way to detect the pattern, for ex: sudden burst of requests coming from one IP or sudden increase in 5XX or 4XX.

renjith_nair · ‎03-11-2019

@varshna,

You can count the events per IP and compare it with previous counts and see if there is a sudden increase

For eg. index=your_index earliest=-2h |bucket span=1h _time|stats count by IP,_time

Similarly for 5xx and 4xxx

Happy Splunking!

Need to search all request based on IP address

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life