Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is it possible to query IIS logs for a monthly...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to query IIS logs for a monthly web application hit count for multiple web applications on a domain?
jasonmhamilton
New Member
01-20-2022
03:29 PM
Hello,
I was wondering if it is possible to use Splunk to query IIS logs for a monthly application hit count for multiple web applications on the same domain?
The report I need to submit would look something like:
http://domain/webapp1/ - ## total monthly hits
http://domain/webapp2/ - ## total monthly hits
....
I just need the overall total monthly hit count and not the total unique IP address hit count.
Any help would be much appreciated. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chef
Explorer
01-20-2022
04:46 PM
The easiest way would be to just run two separate searches to get your counts:
index=iis_index url=http://domain/webapp1/* | stats count
index=iis_index url=http://domain/webapp2/* | stats count
And just change your time period to be for the month.
If you wanted to do it in one search, you could do something like the following:
index=iis_index url=http://domain/webapp1/* OR url=http://domain/webapp2/*
| rex "http://domain/(?<webapp>[^/]+"
| stats count by webappThis second search will extract a new field named webapp which you will be able to use in stats functions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonmhamilton
New Member
01-20-2022
05:49 PM
I'm a Splunk newbie. How do I specify the timespan to a month and specify which month or start and end date/time for the query?
I currently use a LogParser query on the IIS logs to do this and wrote a script that I call with just the start and end date and time as variables (e.g "2022-01-01 00:00:00" "2022-01-31 23:59:59" as the start/end date and time). That method will not be an option much longer so I am looking to use Splunk for a new way of gathering these monthly metrics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chef
Explorer
01-20-2022
09:45 PM
When you ingest these logs into Splunk, it will detect the timestamp from the logs and store them accordingly.
So when you write a Splunk search, you will have the option of what timeframe you wish to search - you can see more details here:
https://docs.splunk.com/Documentation/Splunk/8.2.4/Search/Selecttimerangestoapply
There's a lot of preset time criteria you can use such as "Previous Month" and you can even select specific time and date ranges too.
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
