Splunk Search

How can I find an IP address that only requested a specific URL?

mbeauchamp
Engager

Trying to search web access logs to find instances where a specific IP only called a single URL, and no other URLs. This IP could have made this call more than once, but didn't request any other URLs through that server. Basically looking for a list of IPs that requested the "/test.html" page, and nothing else.

This is what I tried so far, but it's just grouping by IP and showing all the URLs.

sourcetype=webaccess clientip!="-" | stats count by clientip | stats list(url) as URL, list(count) as Count, sum(count) as CountByIP by clientip | where CountByIP=1 AND URL="/test.html"
Tags (2)
0 Karma
1 Solution

micahkemp
Champion

Try:

sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1

And I can't imagine the search you included in your question actually does anything. Once you call your first stats command, the only fields you'd have are count and clientip.

View solution in original post

micahkemp
Champion

Try:

sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1

And I can't imagine the search you included in your question actually does anything. Once you call your first stats command, the only fields you'd have are count and clientip.

mbeauchamp
Engager

That worked perfect! Thanks so much.

0 Karma

micahkemp
Champion

Excellent. Please accept the answer as well, so this question no longer appears open.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...