How to detect regular activity from logs.

souhei · ‎01-08-2015

Hi, splunk community.

I would like to detect regular activity with specific URL (or host) from HTTP Proxy logs.
In detail, for example, To detect specific host or URL which someone regularly request for from many many host. Regardless of how long span the regularly activity occurred.
that is, it may be occurred per an hour, or per a day, or per a month...

I tried some commands like "gentimes", "map", "trendline"..., but none of them solved my problem.

What statement should i write?

souhei · ‎01-09-2015

Thank you in advance for your best kindness, FritsWittwer, MuS.

but, My view point is not "number" of request, but "regularity" of request...

souhei · ‎01-09-2015

Thank you for your comment, MuS.

I will try your suggestion.

MuS · ‎01-09-2015

simply add _time and create a nice chart to graph it and you should see want you want:

... | timechart count by URL| ...

or

... | chart count(action) over _time by URL | ....

FritzWittwer_ol · ‎01-08-2015

Hi
Just my five Cents, I’d try to use a field extractions so I have http://hogehoge.com in a field Url, and then

…| stats count by Url | sort -count

Would give you a list of the repeated URLs requested.

Fritz

MuS · ‎01-08-2015

and I add my two cents: in addition to the field URL add also a field called action and get POST and GET into this field. This way get not only the URL count but also what kind of action was done against this URL...like this:

... | stats count by URL, action | ...

cheers, MuS

FritzWittwer_ol · ‎01-08-2015

Hi souhei,
just a simple approach if regular means same URL, you could use

... |stats  stats count by URL

assuming URL is the field containing the URL

How to detect regular activity from logs.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life