topic Re: How do you list source IPs that hit only two URLs in WEB source types? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445665#M177044 <P>Thanks but I need to get the list of IPs that hit two URLs <BR /> account/XYz and account/ABC</P> Tue, 05 Feb 2019 15:06:48 GMT aamer86 2019-02-05T15:06:48Z How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445663#M177042 <P>We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs. </P> <P>The fields are:</P> <P>src for source IP <BR /> uri_path for hit URL </P> Tue, 05 Feb 2019 14:51:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445663#M177042 aamer86 2019-02-05T14:51:20Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445664#M177043 <P>So, something like:</P> <PRE><CODE>&lt;base search here&gt; | stats distinct_count(uri_path) as distinct_uri_count by src | where distinct_uri_count = 2 </CODE></PRE> <P>?</P> Tue, 05 Feb 2019 14:59:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445664#M177043 ccl0utier 2019-02-05T14:59:14Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445665#M177044 <P>Thanks but I need to get the list of IPs that hit two URLs <BR /> account/XYz and account/ABC</P> Tue, 05 Feb 2019 15:06:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445665#M177044 aamer86 2019-02-05T15:06:48Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445666#M177045 <P>You can add <CODE>values(src)</CODE> to the stats command then?</P> <P>Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?</P> Tue, 05 Feb 2019 15:27:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445666#M177045 ccl0utier 2019-02-05T15:27:22Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445667#M177046 <P>sorry I think I should have explained it better </P> <P>so we need to get all the IPs that ONLY hit two urls </P> <P>account/logon <BR /> member/savedcard </P> <P>As this has been detected as an attack pattern </P> <P>So i need the IPs that hit only these two URLs </P> Tue, 05 Feb 2019 15:38:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445667#M177046 aamer86 2019-02-05T15:38:59Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445668#M177047 <P>Then this should do it:</P> <PRE><CODE>&lt;base search&gt; | stats values(uri_path) as uri_path by src | where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard")) | stats count by src </CODE></PRE> <P>You can substitute stats with tstats if uri_path is an indexed field. YMMV.</P> Tue, 05 Feb 2019 16:23:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445668#M177047 ccl0utier 2019-02-05T16:23:54Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445669#M177048 <P>Thanks but this is really slow search using transaction </P> <P>can we have something to be used with tstats and Data Model </P> Tue, 05 Feb 2019 16:50:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445669#M177048 aamer86 2019-02-05T16:50:19Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445670#M177049 <P>I've updated my answer to reflect that. Should be faster/more flexible.</P> Tue, 05 Feb 2019 18:17:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445670#M177049 ccl0utier 2019-02-05T18:17:44Z Re: How do you list source IPs that hit only two URLs in WEB source types? https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445671#M177050 <P>Try this:</P> <PRE><CODE>| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src </CODE></PRE> Tue, 05 Feb 2019 20:58:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-list-source-IPs-that-hit-only-two-URLs-in-WEB-source/m-p/445671#M177050 woodcock 2019-02-05T20:58:28Z