Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way in Splunk to determine how a user arrived at a destination IP?

redhonda03_2
Engager
‎02-15-2023 12:05 PM

Is there a way in Splunk to determine how a user arrived at a destination IP? Did they click a link from a certain webpage, or did they go there directly?

Another way to look at it is if there is a way to separate user activity from webpage activity. Websites automatically load advertisements and other content automatically within a second, or a very small time interval. Users on the other hand are scrolling, clicking on a link, then clicking on another link which takes a significantly longer amount of time.

Being able to consolidate web page activity where dozens of destination addresses are accessed within 5 seconds into a single event where just the first record is shown would help to reduce the number of results returned when you're looking at a time window containing several thousand records.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:49 PM

Hi @redhonda03_2,

the only answer to this question brings two other questions:

  • have you these information in the logs from the proxy or the web server?
  • did you ingested these logs in your Splunk?

if the answer is yes to both my answers, it's possible.

You have only to correlate events identifying the transaction keys (e.g. the username).

Ciao.

Giuseppe

0 Karma
Reply

redhonda03_2
Engager
‎02-17-2023 12:45 PM

Hi Guiseppe,

Regarding you questions, yes we have have web logs and yes they are being set to splunk. You mentioned "transaction keys", is this different that values listed in one of the 'interesting fields' listed in the Splunk search?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2023 11:10 PM

Hi @redhonda03_2,

as "transaction_key" I mean a common field that can be used to correlate different data, e.g. username, transaction_id, etc....

Having this field you can correlate data from different data source, otherwise it's really difficoult to create a correlation.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...