The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.

This will return something like the following:

If you want to run this as a scheduled search, which I advise doing due to the lengthy historical search of all time you can add an outputlookup to the end and search against that for near instantaneous results:

Once this search runs you can access this by running the following:

Check out the difference in search run time. Barely more than a second versus more than 80 seconds! If you have a lot of users accessing this information you’ll want to do this as a scheduled search. Just be sure to change the permissions on the lookup file so intended users can access it.

  1. YiHu

    stats count as 访问次数 sum(bytes) as t1 first(Country) as 国家 by clientip | eval 流量=round(t1/1048576,2)
    I suggest that the bytes be calculated separately, which is more accurate. Thank you again.

