Calculate how many IPs changed since last week

Regengott · ‎07-12-2013

I have a bunch of log files from a honeypot. In this logfiles, I have IP-Adresses which appear almost every day and some of them change. Now I'd like to see on a per week basis how many new IPs dropping in the pot.

Just to make my analysis problem clear

IPs in week 1

1.2.3.4

2.3.4.5

3.4.5.6

IPs in week 2

1.2.3.4

2.3.4.5

3.4.5.6

9.9.9.9

The result would be "1 IP added since last week"

bmunson_splunk · ‎07-12-2013

You need to do a subsearch and use the boolean NOT to exclude those results.

source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d  source=mylogs | stats count by src_ip | fields src_ip ] | stats dc(src_ip) as "New IP's this week"

If you are regularly doing this and have a lot of data, you might want to schedule the subsearch to speed this up.

edited to add the command "search" above and modify output

Regengott · ‎07-12-2013

/me = newbie 🙂 Thx - now I got a result, I need to interpret it, wether it is what I want

okrabbe_splunk · ‎07-12-2013

he just forgot to put the search command. Add the word search before earliest. ie:
source=mylogs src_ip=* NOT [ search earliest=-14d@d latest=-7d@d .....

Regengott · ‎07-12-2013

Thx for quick response, but unfortunately I got an error "Unknown search command 'earliest'". Perhaps I should have mentioned I used the free version 5.0.3?

linu1988 · ‎07-12-2013

use join to see the difference

Calculate how many IPs changed since last week

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms