Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you list source IPs that hit only two URLs in WEB source types?

aamer86
Path Finder
‎02-05-2019 06:51 AM

We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.

The fields are:

src for source IP
uri_path for hit URL

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎02-05-2019 12:58 PM

Try this:

| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src
0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 08:23 AM

Then this should do it:

<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src

You can substitute stats with tstats if uri_path is an indexed field. YMMV.

0 Karma
Reply

aamer86
Path Finder
‎02-05-2019 08:50 AM

Thanks but this is really slow search using transaction

can we have something to be used with tstats and Data Model

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 10:17 AM

I've updated my answer to reflect that. Should be faster/more flexible.

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 06:59 AM

So, something like:

<base search here>
| stats distinct_count(uri_path) as distinct_uri_count by src
| where distinct_uri_count = 2

?

0 Karma
Reply

aamer86
Path Finder
‎02-05-2019 07:06 AM

Thanks but I need to get the list of IPs that hit two URLs
account/XYz and account/ABC

0 Karma
Reply

ccl0utier
Splunk Employee
Splunk Employee
‎02-05-2019 07:27 AM

You can add values(src) to the stats command then?

Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?

0 Karma
Reply

aamer86
Path Finder
‎02-05-2019 07:38 AM

sorry I think I should have explained it better

so we need to get all the IPs that ONLY hit two urls

account/logon
member/savedcard

As this has been detected as an attack pattern

So i need the IPs that hit only these two URLs

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...