Splunk Search

How do you list source IPs that hit only two URLs in WEB source types?

aamer86
Path Finder

We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.

The fields are:

src for source IP
uri_path for hit URL

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this:

| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src
0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

Then this should do it:

<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src

You can substitute stats with tstats if uri_path is an indexed field. YMMV.

0 Karma

aamer86
Path Finder

Thanks but this is really slow search using transaction

can we have something to be used with tstats and Data Model

0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

I've updated my answer to reflect that. Should be faster/more flexible.

0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

So, something like:

<base search here>
| stats distinct_count(uri_path) as distinct_uri_count by src
| where distinct_uri_count = 2

?

0 Karma

aamer86
Path Finder

Thanks but I need to get the list of IPs that hit two URLs
account/XYz and account/ABC

0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

You can add values(src) to the stats command then?

Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?

0 Karma

aamer86
Path Finder

sorry I think I should have explained it better

so we need to get all the IPs that ONLY hit two urls

account/logon
member/savedcard

As this has been detected as an attack pattern

So i need the IPs that hit only these two URLs

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...