Splunk Search

How do you list source IPs that hit only two URLs in WEB source types?

aamer86
Path Finder

We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.

The fields are:

src for source IP
uri_path for hit URL

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this:

| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src
0 Karma

ccl0utier
Splunk Employee
Splunk Employee

Then this should do it:

<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src

You can substitute stats with tstats if uri_path is an indexed field. YMMV.

0 Karma

aamer86
Path Finder

Thanks but this is really slow search using transaction

can we have something to be used with tstats and Data Model

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

I've updated my answer to reflect that. Should be faster/more flexible.

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

So, something like:

<base search here>
| stats distinct_count(uri_path) as distinct_uri_count by src
| where distinct_uri_count = 2

?

0 Karma

aamer86
Path Finder

Thanks but I need to get the list of IPs that hit two URLs
account/XYz and account/ABC

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

You can add values(src) to the stats command then?

Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?

0 Karma

aamer86
Path Finder

sorry I think I should have explained it better

so we need to get all the IPs that ONLY hit two urls

account/logon
member/savedcard

As this has been detected as an attack pattern

So i need the IPs that hit only these two URLs

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...