Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to detect regular activity from logs.

souhei
Explorer
‎01-08-2015 04:51 AM

Hi, splunk community.

I would like to detect regular activity with specific URL (or host) from HTTP Proxy logs.
In detail, for example, To detect specific host or URL which someone regularly request for from many many host. Regardless of how long span the regularly activity occurred.
that is, it may be occurred per an hour, or per a day, or per a month...

I tried some commands like "gentimes", "map", "trendline"..., but none of them solved my problem.

What statement should i write?

0 Karma
Reply

souhei
Explorer
‎01-09-2015 12:16 AM

Thank you in advance for your best kindness, FritsWittwer, MuS.

but, My view point is not "number" of request, but "regularity" of request...

0 Karma
Reply

souhei
Explorer
‎01-09-2015 02:12 AM

Thank you for your comment, MuS.

I will try your suggestion.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎01-09-2015 12:21 AM

simply add _time and create a nice chart to graph it and you should see want you want:

... | timechart count by URL| ...

or

... | chart count(action) over _time by URL | ....
0 Karma
Reply

FritzWittwer_ol
Contributor
‎01-08-2015 11:09 PM

Hi
Just my five Cents, I’d try to use a field extractions so I have http://hogehoge.com in a field Url, and then

…| stats count by Url | sort -count

Would give you a list of the repeated URLs requested.

Fritz

Reply

MuS
SplunkTrust
SplunkTrust
‎01-08-2015 11:43 PM

and I add my two cents: in addition to the field URL add also a field called action and get POST and GET into this field. This way get not only the URL count but also what kind of action was done against this URL...like this:

... | stats count by URL, action | ...

cheers, MuS

0 Karma
Reply

FritzWittwer_ol
Contributor
‎01-08-2015 05:02 AM

Hi souhei,
just a simple approach if regular means same URL, you could use 

... |stats  stats count by URL

assuming URL is the field containing the URL

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...