Hi,
Now, we have the following use case, but I don't know how to write the search. Please help~
In application log, let's define "visit URL1, URL2, URL3......continuously in order" as a Visit Order;
Then how to set up an alert as the following:
When one IP visits one Visit Order to exceed N times in the time range T, then alert.
Please note, the Visit Order is not set up at the beginning.
Thanks in advance~^_^
View your comment, you must first extract IP and URL to detect that clientIP1 visit an order - "URL1, URL2, URL3"
Here you go.
.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|table IP url
You can also count .......
.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|stats count
Thanks
Thanks for your help. But the URL1, URL2, URL3...are not defined at the beginning, which means we want to detect the visit order which visited by one IP for many times.
Try like this
.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|eventstats earliest(url) as start_url latest(url) as end_url by IP|transaction IP startswith=(url=start_url) endswith=(url=end_url)|stats count
Hello! Can we get a sample data of your log, and also please can you explain how one IP visits one Visit Order? Maybe something which can help write the query?
Thanks
oh, hello~
It is acc log, I cannot export the log since it is in production, but I can give an example if can help.
how to detect clientIP1 visit an order - "URL1, URL2, URL3" for 2 times?
2015-06-11 19:25:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:26:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:27:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44
2015-06-11 19:28:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL4" 0.0030 44
2015-06-11 19:29:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:30:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:31:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44