Trying to search web access logs to find instances where a specific IP only called a single URL, and no other URLs. This IP could have made this call more than once, but didn't request any other URLs through that server. Basically looking for a list of IPs that requested the "/test.html"
page, and nothing else.
This is what I tried so far, but it's just grouping by IP and showing all the URLs.
sourcetype=webaccess clientip!="-" | stats count by clientip | stats list(url) as URL, list(count) as Count, sum(count) as CountByIP by clientip | where CountByIP=1 AND URL="/test.html"
Try:
sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1
And I can't imagine the search you included in your question actually does anything. Once you call your first stats
command, the only fields you'd have are count
and clientip
.
Try:
sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1
And I can't imagine the search you included in your question actually does anything. Once you call your first stats
command, the only fields you'd have are count
and clientip
.
That worked perfect! Thanks so much.
Excellent. Please accept the answer as well, so this question no longer appears open.