Getting Data In

how to find the number of unique visitors to a website using logs. I am using source type iis

gowthamkb
Explorer

sourcetype="iis". I could see the following fields

Interesting Fields
acs_method 1
acs_uri_stem 1
acs_User_Agent 1
adate 1

date_hour 21

date_mday 1

date_minute 60

adate_month 1

date_second 12

adate_wday 1

date_year 1

date_zone 1

aindex 1

linecount 1

apunct 1
as_ip 1

s_port 1

sc_status 1

sc_substatus 1

sc_win32_status 1

asplunk_server 1
atime 100+

time_taken 100+

0 Karma
1 Solution

sundareshr
Legend

Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search

sourcetype=iis | stats dc(c_ip) as client_ip 

*OR*

sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip

Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

View solution in original post

0 Karma

sundareshr
Legend

Assuming you used INDEXED_EXTRACTIONS=w3c you should have a field called c_ip. This is the IP address of the client that made the request. Now, this also could be a NAT'd IP, with userid in your log file (in querystring), its is not 100% reliable. Given what you have, try this search

sourcetype=iis | stats dc(c_ip) as client_ip 

*OR*

sourcetype=iis earliest=@d | timechart span=1h dc(c_ip) as client_ip

Here's some reading on how to configure IIS logs: http://blogs.splunk.com/2013/10/18/iis-logs-and-splunk-6/

0 Karma

gowthamkb
Explorer

Thanks for the above reply. I checked my props.conf and I could see INDEXED_EXTRACTIONS=w3c .
After executing the following search command I got the count.
sourcetype="iis" | dedup c_ip | stats dc(c_ip) AS Total_Unique_Client_IP

How could I get the result set listing each Unique IP (c_ip) and the corresponding list of page visits (cs_uri_stem) made by that IP (c_ip) on the website.

Sorry I started using splunk 2 days ago and still trying to learn search commands. Any help will be appreciated.

0 Karma

sundareshr
Legend

Try this

sourcetype="iis" | stats count by s_ip cs_uri_stem
0 Karma

gowthamkb
Explorer

did u mean c_ip ? I have 7k+ lines in my log and all of them have the same s_ip.

can I assume that the count returned by the following search command is the total no of unique client visits on the website ?

sourcetype="iis" | dedup c_ip | stats dc(c_ip) AS Total_Unique_Client_IP

0 Karma

sundareshr
Legend

Yes. I meant c_ip. The search command you show, will give you distinct count of c_ip. You don't need the dedup command. dc = distinct_count

For just a list of sites visited by c_ip, you can do

sourcetype="iis" | stats count by s_ip cs_uri_stem | fields - count

*OR*

sourcetype="iis" | stats values(cs_uri_stem) as uri_stem by s_ip 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...