Getting Data In

how to find the number of unique visitors to a website using logs. I am using source type iis

Explorer

sourcetype="iis". I could see the following fields

Interesting Fields
acsmethod 1
acs
uristem 1
acs
User_Agent 1
adate 1

date_hour 21

date_mday 1

date_minute 60

adate_month 1

date_second 12

adate_wday 1

date_year 1

date_zone 1

aindex 1

linecount 1

apunct 1
as_ip 1

s_port 1

sc_status 1

sc_substatus 1

scwin32status 1

asplunk_server 1
atime 100+

time_taken 100+

0 Karma
1 Solution

Legend

Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search

sourcetype=iis | stats dc(c_ip) as client_ip 

*OR*

sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip

Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

View solution in original post

0 Karma

Legend

Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search

sourcetype=iis | stats dc(c_ip) as client_ip 

*OR*

sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip

Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

View solution in original post

0 Karma

Explorer

Thanks for the above reply. I checked my props.conf and I could see INDEXEDEXTRACTIONS=w3c .
After executing the following search command I got the count.
sourcetype="iis" | dedup c
ip | stats dc(cip) AS TotalUniqueClientIP

How could I get the result set listing each Unique IP (cip) and the corresponding list of page visits (csuristem) made by that IP (cip) on the website.

Sorry I started using splunk 2 days ago and still trying to learn search commands. Any help will be appreciated.

0 Karma

Legend

Try this

sourcetype="iis" | stats count by s_ip cs_uri_stem
0 Karma

Explorer

did u mean cip ? I have 7k+ lines in my log and all of them have the same sip.

can I assume that the count returned by the following search command is the total no of unique client visits on the website ?

sourcetype="iis" | dedup cip | stats dc(cip) AS TotalUniqueClient_IP

0 Karma

Legend

Yes. I meant cip. The search command you show, will give you distinct count of cip. You don't need the dedup command. dc = distinct_count

For just a list of sites visited by c_ip, you can do

sourcetype="iis" | stats count by s_ip cs_uri_stem | fields - count

*OR*

sourcetype="iis" | stats values(cs_uri_stem) as uri_stem by s_ip 
0 Karma