Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How To Summary Index Unique Visitor Sessions In IIS Every 5 Mins ?

john_loch
Explorer
‎11-27-2010 07:06 AM

I need to update a summary index with Unique IP counts every 5 mins.

What would be the optimal way to check for unique IP's over say -8m@m to -3m@m (ie 5 min period ending 3 mins ago) that don't occur in a 30min window preceding that.

The basic premise is that any activity within the preceding 30 mins indicates a continuing session while absence indicates a new session (if IP appears within the 5 min window).

I'm sure this is covered somewhere from a standard indexing standpoint, but needing to push it into a summary index every 5 mins means I need to be careful about overlaps etc.

Thanks all 🙂

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2010 08:16 PM

I'm not sure exactly what you're trying to count? Is it just "IPs that appear in the last 5 minutes that have also not appeared in the prior 30 minutes (or 25 minutes")"? That is, the number of new visits in the most recent 5 minute window?

The simple way of doing this is:

sourcetype=log earliest=-38m@m latest=-3min@m | stats min(_time) as earliest by ip | where earliest < relative_time(now(),"-8m@m") | stats count

A more efficient way, knowing that you are running this every 5 minutes would be to run a search that built and updated a lookup table with the new IPs seen in the last 5 minutes as it went:

sourcetype=log earliest=-8m@m latest=-3m@m | stats min(_time) as earliest by ip | inputlookup append=t recentips | stats min(_time) as earliest by ip | where earliest > relative_time(now(),"-38m@m") | outputlookup recentips

And to get the number for you more recent 5 minute interval (after the other search has run)

| inputlookup recentips | where earliest > -8m@m | stats count
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...