|
It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc. E.g. 10.10.10.10 only used GET, while 11.11.11.11 used GET, POST, PUT, etc on my webserver. You can see where I am going with this. So, what kinda query would do it? |
|
In addition to what lguinn posted, this is fairly explicit. Ah, that's a more efficient solution.
(01 Jun '11, 10:16)
lguinn ♦
Well, probably not more efficient, but more clearly corresponding to what you're asking for.
(01 Jun '11, 10:32)
gkanapathy ♦
Thanks a lot for this!!
(01 Jun '11, 15:56)
anton_chuvakin
|
|
Here are two examples of what you asked for -- Most number of methods used, not counting duplicates Most number of unique pages visited But here are variations that might be more useful -- Finally, take it to the next level by clicking the "Build Report" button and making a graph or chart of the results! To really figure out what he asked, the last couple should actually look like:
(31 May '11, 19:45)
gkanapathy ♦
Thanks a lot for this as well!!
(01 Jun '11, 15:56)
anton_chuvakin
|
|
In the end, I ended us using these: sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count and this sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count with GREAT results that led me to some fun web mayhem that was happening. Thanks a lot to all involved :-) |
This (http://splunk-base.splunk.com/answers/6015/display-field-uniques-in-search) seems related but isn't quite the same since I need to rank by uniqueness...