It seems like something that has been answered before but i have been unable to find the answer.
Is it possible to run a query that provides unique IP source addresses when searching for a particular string?
I've tried this however i'm not having any success:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats dc(src_ip)
Would be particularly helpful if a portion of the IP (Host, Network) could be queried.
Hi @jdhavo,
The stats command dc
gives the distinct count as shown here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats
If you want the list of unique IP addresses you can use the values
stats command. And if you want you can have both :
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) as src_ip dc(src_ip) as distinctCountIP
Note that values puts everything in the same block so you can use mvexpand
command to split the results out into multiple lines.
In either case make sure the src_ip field exists or you won't be able to run anything 🙂
Cheers,
David
The query you have right now simply returns the number of unique IP addresses. If you want the actual list of unique addresses, try this:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip)
Or:
splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats count by src_ip
To also get the number of events for each unique address.
Does your Splunk data contains IP address in them?