I am logging from Amazon ELB and I have some particular clients that seem to have a bug that causes them to flood the server with the same request over and over. Usually the server receive around 1000 requests during 1-2 seconds then it will stop. This happens around once a week. I would like to locate all these instances and put them in a table. In Splunk I have the following parameters available that I would like to group on:
deviceGuid
I would like to have a list showing the following each time count > 100:
DateTime, deviceGuid, deviceBrand, deviceModel, count
For example this would be perfect if I can achieve:
2016-01-01 00:00:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,900
2016-01-01 00:05:00,d9244663-9ac8-48ce-b125-35b553e39c9a,IBM,ThinkPad 200,800
2016-01-01 00:05:00,2e718d56-91bf-401c-a305-79bc638ac705,IBM,ThinkPad 500,900
I would like DateTime of the span together deviceGuid to be unique on each row
This is what I have so far
host=cloudserver ClientConfig | timechart span=5sec count | where count > 100
Is this doable?
... View more