https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207253#M187743 <P>OP: Here is the issue, I know the 5 uri stems that the group is always hitting and they only hit those uri stems. I am looking for a solution that will search for any user who has hit all five of the specific uri stems and nothing else. This is a way of tracking their activity, but I don't know if such a query is possible</P> Tue, 08 Sep 2015 22:37:41 GMT matt_cunningham 2015-09-08T22:37:41Z https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207251#M187741 <P>An group of IP Addresses, continue to hit a set of 5 uri stems. If they change their IP Address, I would still like to be able to track them as they only hit the same 5 uri stems. Is there any way to format this into a query? Does a query such as uri_stem="uri1", "uri3", "uri3" exist?</P> Tue, 08 Sep 2015 22:15:15 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207251#M187741 matt_cunningham 2015-09-08T22:15:15Z https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207252#M187742 <P>Without seeing an example of your data set, there are a few ways to approach this. One way would be to do a stats against the uri_stem by src_ip, where uri_stem is &gt; 5. </P> <P>.. | stats count(uri_stem) AS uri_count by src_ip | where uri_count &gt; 5 | table src_ip uri_count</P> <P>This does depend on uri_stem being normalized to a usable value, perhaps base url or similar...</P> Tue, 29 Sep 2020 07:11:06 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207252#M187742 esix_splunk 2020-09-29T07:11:06Z https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207253#M187743 <P>OP: Here is the issue, I know the 5 uri stems that the group is always hitting and they only hit those uri stems. I am looking for a solution that will search for any user who has hit all five of the specific uri stems and nothing else. This is a way of tracking their activity, but I don't know if such a query is possible</P> Tue, 08 Sep 2015 22:37:41 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207253#M187743 matt_cunningham 2015-09-08T22:37:41Z https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207254#M187744 <P>If you know the URIs, you can futher filter on this..</P> <PRE><CODE>.. | stats count(uri_stem) AS uri_count by src_ip uri_stem | where uri_count &gt; 5 | search uri_stem="uri1" OR uri_stem="uri2" OR uri_stem="uriN" | table uri_stem src_ip uri_count </CODE></PRE> <P>If you have a large number of URIs, you can do a lookup in there to match against them also...</P> Tue, 08 Sep 2015 22:46:36 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207254#M187744 esix_splunk 2015-09-08T22:46:36Z https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207255#M187745 <P>Try something like this ( assuming you've hard-coded list of uri_stem and after sorting alphabatically, they are in order or uri1, uri2, uri3, uri4 uri5)</P> <PRE><CODE>your base search | stats values(uri_stem) as uri_stem by src_ip | where mvcount uri_stem=5 AND mvindex(uri_stem,0)="uri1" AND mvindex(uri_stem,1)="uri2" AND mvindex(uri_stem,2)="uri3" AND mvindex(uri_stem,3)="uri4" AND mvindex(uri_stem,4)="uri5" </CODE></PRE> <P>Description: get list of distinct uri_stem hit by src_ip, filter where count is 5 and only hard-coded list of 5 uri_stem are hit.</P> Tue, 29 Sep 2020 07:11:11 GMT https://community.splunk.com/t5/Splunk-Search/I-need-to-find-an-IP-Address-or-user-agent-for-a-client-that/m-p/207255#M187745 somesoni2 2020-09-29T07:11:11Z