Solved: Visits on IIS (Sharepoint Server)

andresito123 · ‎04-08-2019

Hello,

I have to create a report, similar to AWStat attribute of "Visits". AWStats defines the visits as:

Number of visits made by all visitors.
Think "session" here, say a unique IP
accesses a page, and then requests
three other pages within an hour. All
of the "pages" are included in the
visit, therefore you should expect
multiple pages per visit and multiple
visits per unique visitor (assuming
that some of the unique IPs are logged
with more than an hour between
requests)

Reference: https://awstats.sourceforge.io/docs/awstats_glossary.html

In my logs, due to the load balancer in front, I cannot make a distinction by IP so I will do it with the username (you have to login in order to see this site).

The question is how I can build up such a search, a search that will calculate the number of visits and if there is a gap of more than 1 hour per each user, the subsequent visit will be calculated as a "visit" as per AWStats definition.

andresito123 · ‎09-05-2019

Create a table for your events, with columns IP, event time and event timestamp. The timestamp will help you calculate the time period between consecutive events (tip: use "eval")
Sort this table by IP and then by event time.
Use "streamstats" to handle your search results in a streaming manner. Add the option current = f (false) to handle every new event individually.
Compare the new event's user and timestamp with your last kept event.
- If the new IP is different from the previous IP, keep the event (remember that our table is primarily sorted by IP, so we deal with all requests from each IP at a time)
- If the difference between the new event's timestamp and the last kept timestamp is more than 3600 seconds, keep the event.
- If the last kept IP is null, it means we are dealing with our first event, so keep the event.
- Drop all other events.
Perform a count over your previous search to obtain the total number of visits.

tip: keeping specific events with streamstats can be done using the "where" command

View solution in original post

andresito123 · ‎09-05-2019

Create a table for your events, with columns IP, event time and event timestamp. The timestamp will help you calculate the time period between consecutive events (tip: use "eval")
Sort this table by IP and then by event time.
Use "streamstats" to handle your search results in a streaming manner. Add the option current = f (false) to handle every new event individually.
Compare the new event's user and timestamp with your last kept event.
- If the new IP is different from the previous IP, keep the event (remember that our table is primarily sorted by IP, so we deal with all requests from each IP at a time)
- If the difference between the new event's timestamp and the last kept timestamp is more than 3600 seconds, keep the event.
- If the last kept IP is null, it means we are dealing with our first event, so keep the event.
- Drop all other events.
Perform a count over your previous search to obtain the total number of visits.

tip: keeping specific events with streamstats can be done using the "where" command

ohbuckeyeio · ‎09-04-2019

Did you ever work through this? I am tackling a similar issue and have some thoughts on building a session ID off of events in the IIS logs. The tricky part is doing it within the SharePoint URL framework with a mixture of cs_hosts that hit a site directly VS those that are site collections.

Also, you can enable advanced logging on your IIS server and have your load balancer forward an X-Forwarded-For header with the client IP. This will allow you to get around the client IP issue.

Visits on IIS (Sharepoint Server)

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?