Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How do I write a search to Compare Bot Traffic in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a site that was hit recently by a bot that ended up basically DDOSing the site for a few hours as it crawled the site. We were noticing an increase in connection to the web server, but the numbers were not too far out of normal overall to throw alarm bells right away (increased from around 1500-3000 per time period over a few hours, coinciding with the start of business)
However after some deep dives into the log, we learned that nearly all of that increase was due to a bot hitting the site (38% of all site traffic that day was this one bot)
I wanted to write a search that would allow me to categorize all bot traffic into one category and then create a running total for each time period, and then set up an alert to go off if the current period is at or above the previous day's numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I consulted with the guys on splunk-usergroups and we decided that calculating the median for the previosu day, and then compare this hour to the median value from yesterday and alerting if the hours bot traffic is higher than the median value, With the help of those guys and a little of my own magic, i was able to figure out the queries i want.
first query to populate the output table:
index=foo sourcetype="ms:iis:default" sc_status!=403
|eval useragent = if(match(cs_User_Agent_ ,".*bot.*"), "BOT", "USER")
| timechart span=1h count by useragent
| streamstats median(BOT) as thembots, median(USER) as themusers
| outputlookup foo_botHistory.csv
Second query to compare this hour to the table and alert on any interesting fields.
index=foo sourcetype="ms:iis:default" sc_status!=403
| eval useragent = if(match(cs_User_Agent_ ,".*bot.*"), "BOT", "USER")
| timechart span=1h count by useragent
| stats max(BOT) as nowBots
| inputlookup append=true foo_botHistory.csv
| stats max(thembots) as normalbots, max(themusers) as normalusers, max(nowBots) as nowBots
| where nowBots > normalbots * 1.5
Any advice on improving this search or its alerts would be much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I consulted with the guys on splunk-usergroups and we decided that calculating the median for the previosu day, and then compare this hour to the median value from yesterday and alerting if the hours bot traffic is higher than the median value, With the help of those guys and a little of my own magic, i was able to figure out the queries i want.
first query to populate the output table:
index=foo sourcetype="ms:iis:default" sc_status!=403
|eval useragent = if(match(cs_User_Agent_ ,".*bot.*"), "BOT", "USER")
| timechart span=1h count by useragent
| streamstats median(BOT) as thembots, median(USER) as themusers
| outputlookup foo_botHistory.csv
Second query to compare this hour to the table and alert on any interesting fields.
index=foo sourcetype="ms:iis:default" sc_status!=403
| eval useragent = if(match(cs_User_Agent_ ,".*bot.*"), "BOT", "USER")
| timechart span=1h count by useragent
| stats max(BOT) as nowBots
| inputlookup append=true foo_botHistory.csv
| stats max(thembots) as normalbots, max(themusers) as normalusers, max(nowBots) as nowBots
| where nowBots > normalbots * 1.5
Any advice on improving this search or its alerts would be much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I know the reason for using cs_User_Agent_ ..I mean aunderscore after Agent ? Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
