Splunk Search

How to write a search and alert if one IP visits one Visit Order over N number of times within a certain time range (T)?

Moon629
Explorer

Hi,

Now, we have the following use case, but I don't know how to write the search. Please help~

In application log, let's define "visit URL1, URL2, URL3......continuously in order" as a Visit Order;

Then how to set up an alert as the following:

When one IP visits one Visit Order to exceed N times in the time range T, then alert.

Please note, the Visit Order is not set up at the beginning.

Thanks in advance~^_^

0 Karma

stephanefotso
Motivator

View your comment, you must first extract IP and URL to detect that clientIP1 visit an order - "URL1, URL2, URL3"
Here you go.

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|table IP url

You can also count .......

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|stats count

Thanks

SGF
0 Karma

Moon629
Explorer

Thanks for your help. But the URL1, URL2, URL3...are not defined at the beginning, which means we want to detect the visit order which visited by one IP for many times.

0 Karma

stephanefotso
Motivator

Try like this

.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|eventstats earliest(url) as start_url latest(url) as end_url by IP|transaction IP startswith=(url=start_url) endswith=(url=end_url)|stats count
SGF
0 Karma

stephanefotso
Motivator

Hello! Can we get a sample data of your log, and also please can you explain how one IP visits one Visit Order? Maybe something which can help write the query?
Thanks

SGF
0 Karma

Moon629
Explorer

oh, hello~
It is acc log, I cannot export the log since it is in production, but I can give an example if can help.
how to detect clientIP1 visit an order - "URL1, URL2, URL3" for 2 times?
2015-06-11 19:25:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:26:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:27:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44
2015-06-11 19:28:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL4" 0.0030 44
2015-06-11 19:29:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:30:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:31:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...