Splunk Search

How to create a search to find the same IP hitting specific URL (x number of times)?

sbhuie
New Member

Having trouble creating a search that will determine if any single unique IP hits a defined URL 5 or more times within a 30 minute time frame. I've been trying something like this...

index=*index* sourcetype=*sourcetype* URL="*uriPath*"
| stats dc(*uriPath*) as URL by *srcIP*
| where URL>5
0 Karma

spayneort
Contributor

If it is a single uriPath you are looking at, you can do this:

index="<index>" sourcetype="<sourcetype>" URL="<uriPath>" | stats count by srcIP | search count>5
0 Karma

niketn
Legend

@sbhuie try the following

 index=<index> sourcetype=<sourcetype> URL="<uriPath>"
 | bin _time span=30min
 | stats dc(URL) as URL by _time srcIP
 | where URL>5
 | xyseries _time srcIP URL 

Following is run anywhere search example based on Splunk's _internal index

index=_internal sourcetype=splunkd_ui_access
| bin _time span=30min
| stats dc(uri) as Hit by _time  clientip
| search Hit>5
| xyseries _time clientip Hit
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...