how to search a file for an unknown ip address that occurs the most in the file

Posted on 2012-09-13
Last Modified: 2012-09-16
If I'm trying to see what ip address occurs most in an apache access file, how would I do that?

The ip address is unknown.  Maybe something with grep?  Anything will do, so long as it can be done in bash.

Question by:drj003
    LVL 74

    Assisted Solution

    by:käµfm³d 👽
    How about:

    grep "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" log_file | sort | uniq -c | sort -r | head -n1

    Open in new window

    LVL 48

    Expert Comment

    awk '{print $1}' access.log|sort |uniq -c|sort -rn | less

    Open in new window

    LVL 6

    Accepted Solution

    awk '{ print $1 }' /etc/httpd/logs/access_log | sort | uniq -c | sort -r | awk 'NR == 1'

    You will want to change the path to your access_log and you can remove the last awk command if you wish to get output for all IP addresses and the number of times they appear in your access_log

    Expert Comment

    cat <your log file> | egrep '[0-255][.]|[0-255][.]|[0-255][.]|[0-255]'|uniq -c |sort -nr | head -1

    You will get the IP address that has occured the most in the log file.

    Thanks, Good luck..
    LVL 74

    Expert Comment

    by:käµfm³d 👽

    Your pattern doesn't do what you think it does  = )

    "[0-255]" means "either 0, 1, 2, or 5", not "0 to 255".

    Expert Comment

    Yeah, right.. it will need more changes.. :)
    LVL 2

    Author Closing Comment

    Thanks guys.  Exactly what I was looking for.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap ( Version 1.2 2.      Jpcap( Version 0.6 Prerequisite: 1.      GCC …
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now