Splunk Search

How to find count of occurrences of each IP for the first 15 mins starting from the first occurrence of each IP ?

sambit_kabi
Path Finder

Say I have an index A which has all the IPs logged during the day. So every event has an IP and the timestamp it was seen.

What I need to find is the count of the occurrence of each IP for the first 15 mins starting from the timestamp of the first occurrence of the IP.

Example: Say I find IP 1.2.3.4 at 10:00, 10:05,10:12, 10:16,10:20 and IP 9.8.7.6 at 11:00, 11:05, 11:10, 11:20.

For IP 1.2.3.4 the first occurrence was at 10:00 . So in the first 15 mins which is from 10:00 till 10:15 I get the occurrence count as 3. Occurrence at 10:16 and 10:20 is ignored.

Similarly for IP 9.8.7.6 the first occurrence was at 11:00 , so the first 15 mins i.e from 11:00 to 11:15 the occurrence count is 3. 11:20 occurrence is ignored.

So basically I want a search query which will give me the count of occurrence of each IP for the first 15 mins starting from the first occurrence of each IP.

The search result here would be
1.2.3.4 3
9.8.7.6 3

0 Karma
1 Solution

nickhills
Ultra Champion

Here is a couple of ways:

<your search>|bin span=15m _time
|stats count by IPaddress,_time
| sort + _time
| dedup IPaddress

That will use arbitrary 15 min blocks, 00,15,30,45 etc.

If you want the 15 mins to start from the time of the first event:

<your search>|transaction IPAddress maxspan=900
| sort + _time
| dedup IPAddress
| table IPAddress _time eventcount
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Here is a couple of ways:

<your search>|bin span=15m _time
|stats count by IPaddress,_time
| sort + _time
| dedup IPaddress

That will use arbitrary 15 min blocks, 00,15,30,45 etc.

If you want the 15 mins to start from the time of the first event:

<your search>|transaction IPAddress maxspan=900
| sort + _time
| dedup IPAddress
| table IPAddress _time eventcount
If my comment helps, please give it a thumbs up!
0 Karma

sambit_kabi
Path Finder

Thanks for the prompt reply . It works . Thanks again. Got to learn a new command.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...