Knowledge Management

How To Summary Index Unique Visitor Sessions In IIS Every 5 Mins ?


I need to update a summary index with Unique IP counts every 5 mins.

What would be the optimal way to check for unique IP's over say -8m@m to -3m@m (ie 5 min period ending 3 mins ago) that don't occur in a 30min window preceding that.

The basic premise is that any activity within the preceding 30 mins indicates a continuing session while absence indicates a new session (if IP appears within the 5 min window).

I'm sure this is covered somewhere from a standard indexing standpoint, but needing to push it into a summary index every 5 mins means I need to be careful about overlaps etc.

Thanks all 🙂

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

I'm not sure exactly what you're trying to count? Is it just "IPs that appear in the last 5 minutes that have also not appeared in the prior 30 minutes (or 25 minutes")"? That is, the number of new visits in the most recent 5 minute window?

The simple way of doing this is:

sourcetype=log earliest=-38m@m latest=-3min@m | stats min(_time) as earliest by ip | where earliest < relative_time(now(),"-8m@m") | stats count

A more efficient way, knowing that you are running this every 5 minutes would be to run a search that built and updated a lookup table with the new IPs seen in the last 5 minutes as it went:

sourcetype=log earliest=-8m@m latest=-3m@m | stats min(_time) as earliest by ip | inputlookup append=t recentips | stats min(_time) as earliest by ip | where earliest > relative_time(now(),"-38m@m") | outputlookup recentips

And to get the number for you more recent 5 minute interval (after the other search has run)

| inputlookup recentips | where earliest > -8m@m | stats count
0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...