Splunk Search

How to write a search and alert if one IP visits one Visit Order over N number of times within a certain time range (T)?

Explorer

Hi,

Now, we have the following use case, but I don't know how to write the search. Please help~

In application log, let's define "visit URL1, URL2, URL3......continuously in order" as a Visit Order;

Then how to set up an alert as the following:

When one IP visits one Visit Order to exceed N times in the time range T, then alert.

Please note, the Visit Order is not set up at the beginning.

Thanks in advance~^_^

0 Karma

Motivator

View your comment, you must first extract IP and URL to detect that clientIP1 visit an order - "URL1, URL2, URL3"
Here you go.

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|table IP url

You can also count .......

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|stats count

Thanks

0 Karma

Explorer

Thanks for your help. But the URL1, URL2, URL3...are not defined at the beginning, which means we want to detect the visit order which visited by one IP for many times.

0 Karma

Motivator

Try like this

.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|eventstats earliest(url) as start_url latest(url) as end_url by IP|transaction IP startswith=(url=start_url) endswith=(url=end_url)|stats count
0 Karma

Motivator

Hello! Can we get a sample data of your log, and also please can you explain how one IP visits one Visit Order? Maybe something which can help write the query?
Thanks

0 Karma

Explorer

oh, hello~
It is acc log, I cannot export the log since it is in production, but I can give an example if can help.
how to detect clientIP1 visit an order - "URL1, URL2, URL3" for 2 times?
2015-06-11 19:25:17 clientIP1 userID destinationIP - GET /./appimages/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:26:17 clientIP1 userID destinationIP - GET /./app
images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:27:17 clientIP1 userID destinationIP - GET /./appimages/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44
2015-06-11 19:28:17 clientIP1 userID destinationIP - GET /./app
images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL4" 0.0030 44
2015-06-11 19:29:17 clientIP1 userID destinationIP - GET /./appimages/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:30:17 clientIP1 userID destinationIP - GET /./app
images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:31:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44

0 Karma