Solved: How to filter on DC after applying stats?

jwalzerpitt · ‎07-26-2018

I have the following search in which I am looking for a list of each source IP, the list of websites they hit, the count of GETs per website, and then an overall total of GETs for all websites

index=foo http_method=GET
| bucket _time span=5m
| stats count by src, website
| sort -count 
| where count >= 5
| stats list(website) as Website, list(count) as count, sum(count) as Total by src 
| sort -Total

How can I modify the search to query for only IPs that have hit more than 5 websites within the 5-minute time span?

Thx

somesoni2 · ‎07-26-2018

Give this a try

index=foo http_method=GET
| bucket _time span=5m
| stats count by src, website
| sort -count 
| where count >= 5 | evenstats dc(website) as sites by src | where sites>=5
| stats list(website) as Website, list(count) as count, sum(count) as Total by src 
| sort -Total

View solution in original post

somesoni2 · ‎07-26-2018

Give this a try

index=foo http_method=GET
| bucket _time span=5m
| stats count by src, website
| sort -count 
| where count >= 5 | evenstats dc(website) as sites by src | where sites>=5
| stats list(website) as Website, list(count) as count, sum(count) as Total by src 
| sort -Total

jwalzerpitt · ‎07-26-2018

Aweomse - worked perfectly!

Thx

How to filter on DC after applying stats?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases