I'm fairly new to Splunk queries, so apologies if this is overly simplistic.
I have a query looking at apache logs in combination with some geoip lookups. It only returns the clientip when that IP has more than 50 hits per Apache log in the given duration (5 mins) and isn't from Texas:
index=myIndex | stats count(host) as HitsByIP by clientip,source | search HitsByIP > 50 | dig clientip | lookup geoip clientip as clientip | search NOT (client_country = "United States" AND client_region = "TX")
I really want to be able to see this in a timechart (or equivalent) so that I can see only the IP's with > 50 hits, but look at counts for those IPs by minute or 5 minutes but over a longer course of time, say 1 hour. When I add a timechart to the end, I end up with no results.
The below gets me a little closer with a subquery, but its still not what I'm looking for but it does give results:
index=myIndex [search index=myIndex | stats count(host) as HitsByIP by clientip,source | search HitsByIP > 50 | dig clientip | lookup geoip clientip as clientip | search NOT (client_country = "United States" AND client_region = "NC")| fields + clientip] | timechart span=5m count by clientip
So maybe I need a different duration for the subquery than the timechart?
Any info is much appreciated.
pjc
... View more