Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I find an IP address that only requested a specific URL?

mbeauchamp
Engager
‎02-01-2018 11:59 AM

Trying to search web access logs to find instances where a specific IP only called a single URL, and no other URLs. This IP could have made this call more than once, but didn't request any other URLs through that server. Basically looking for a list of IPs that requested the "/test.html" page, and nothing else.

This is what I tried so far, but it's just grouping by IP and showing all the URLs. 

sourcetype=webaccess clientip!="-" | stats count by clientip | stats list(url) as URL, list(count) as Count, sum(count) as CountByIP by clientip | where CountByIP=1 AND URL="/test.html"
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-01-2018 12:52 PM

Try:

sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1

And I can't imagine the search you included in your question actually does anything. Once you call your first stats command, the only fields you'd have are count and clientip.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-01-2018 12:52 PM

Try:

sourcetype=webaccess clientip!="-" | stats values(url) AS url, dc(url) AS url_dc BY clientip | search url="/test.html" url_dc=1

And I can't imagine the search you included in your question actually does anything. Once you call your first stats command, the only fields you'd have are count and clientip.

Reply
Solved! Jump to solution

mbeauchamp
Engager
‎02-01-2018 01:55 PM

That worked perfect! Thanks so much.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-01-2018 02:21 PM

Excellent. Please accept the answer as well, so this question no longer appears open.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...