Solved: Re: How to build a correlation search for direct w...

SIEMStudent · ‎04-20-2022

Hi Splunkers,

I'm facing the following task: I have to build a correlation search that check users that go on a web page without using proxy or, in other words, direct traffic that no pass throug it.

The rule itself is not a problem; i could perform some checks, for example if the host is not a proxy. My question is: using Data Model Web, because one bound is to use DM if possible, how can I distinguish direct web traffic by proxy one? I mean, which field, or fields, am I supposed to check to identify direct traffic from proxy one using this DM? Is this action possible with Web DM?

smurf · ‎04-21-2022

Hi,

if you know that you can find it based on a host, you can use it in the data model too.

| tstats count from datamodel=Web where host=not_a_proxy

View solution in original post

smurf · ‎04-21-2022

Hi,

if you know that you can find it based on a host, you can use it in the data model too.

| tstats count from datamodel=Web where host=not_a_proxy

How to build a correlation search for direct web traffic without proxy?

field extraction

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!