- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to find the number of unique visitors to a web...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="iis". I could see the following fields
Interesting Fields
acs_method 1
acs_uri_stem 1
acs_User_Agent 1
adate 1
date_hour 21
date_mday 1
date_minute 60
adate_month 1
date_second 12
adate_wday 1
date_year 1
date_zone 1
aindex 1
linecount 1
apunct 1
as_ip 1
s_port 1
sc_status 1
sc_substatus 1
sc_win32_status 1
asplunk_server 1
atime 100+
time_taken 100+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search
sourcetype=iis | stats dc(c_ip) as client_ip
*OR*
sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip
Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search
sourcetype=iis | stats dc(c_ip) as client_ip
*OR*
sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip
Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the above reply. I checked my props.conf and I could see INDEXED_EXTRACTIONS=w3c .
After executing the following search command I got the count.
sourcetype="iis" | dedup c_ip | stats dc(c_ip) AS Total_Unique_Client_IP
How could I get the result set listing each Unique IP (c_ip) and the corresponding list of page visits (cs_uri_stem) made by that IP (c_ip) on the website.
Sorry I started using splunk 2 days ago and still trying to learn search commands. Any help will be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
sourcetype="iis" | stats count by s_ip cs_uri_stem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did u mean c_ip ? I have 7k+ lines in my log and all of them have the same s_ip.
can I assume that the count returned by the following search command is the total no of unique client visits on the website ?
sourcetype="iis" | dedup c_ip | stats dc(c_ip) AS Total_Unique_Client_IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I meant c_ip. The search command you show, will give you distinct count of c_ip. You don't need the dedup command. dc = distinct_count
For just a list of sites visited by c_ip, you can do
sourcetype="iis" | stats count by s_ip cs_uri_stem | fields - count
*OR*
sourcetype="iis" | stats values(cs_uri_stem) as uri_stem by s_ip
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
