Hi, splunk community.
I would like to detect regular activity with specific URL (or host) from HTTP Proxy logs.
In detail, for example, To detect specific host or URL which someone regularly request for from many many host. Regardless of how long span the regularly activity occurred.
that is, it may be occurred per an hour, or per a day, or per a month...
I tried some commands like "gentimes", "map", "trendline"..., but none of them solved my problem.
What statement should i write?
Thank you in advance for your best kindness, FritsWittwer, MuS.
but, My view point is not "number" of request, but "regularity" of request...
Thank you for your comment, MuS.
I will try your suggestion.
simply add _time
and create a nice chart to graph it and you should see want you want:
... | timechart count by URL| ...
or
... | chart count(action) over _time by URL | ....
Hi
Just my five Cents, I’d try to use a field extractions so I have http://hogehoge.com in a field Url, and then
…| stats count by Url | sort -count
Would give you a list of the repeated URLs requested.
Fritz
and I add my two cents: in addition to the field URL add also a field called action
and get POST
and GET
into this field. This way get not only the URL count but also what kind of action was done against this URL...like this:
... | stats count by URL, action | ...
cheers, MuS
Hi souhei,
just a simple approach if regular means same URL, you could use
... |stats stats count by URL
assuming URL is the field containing the URL