Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Apache High Level Visitor Info

apache

Description

Submitted by SplunkNinja

The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.
2 0 
sourcetype=access_combined (referer_domain!="https://gosplunk.com" AND referer_domain!="http://gosplunk.com")
| iplocation clientip
| stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count as Views first(referer_domain) as Referer_Domain first(uri) as Landing_Page by clientip
| eval diff_time_days=round((Last_Visit-First_Visit)/60/60/24, 6)
| convert ctime(First_Visit) ctime(Last_Visit)
| fields clientip Country First_Visit Last_Visit diff_time_days MB Views Referer_Domain Landing_Page
| fillnull value="0"
This will return something like the following: If you want to run this as a scheduled search, which I advise doing due to the lengthy historical search of all time you can add an outputlookup to the end and search against that for near instantaneous results: 
sourcetype=access_combined (referer_domain!="https://gosplunk.com" AND referer_domain!="http://gosplunk.com")
| iplocation clientip
| stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count as Views first(referer_domain) as Referer_Domain first(uri) as Landing_Page by clientip
| eval diff_time_days=round((Last_Visit-First_Visit)/60/60/24, 6)
| convert ctime(First_Visit) ctime(Last_Visit)
| fields clientip Country First_Visit Last_Visit diff_time_days MB Views Referer_Domain Landing_Page
| fillnull value="0"
| outputlookup historical_client_insight.csv
Once this search runs you can access this by running the following: 
| inputlookup historical_client_insight.csv
Check out the difference in search run time. Barely more than a second versus more than 80 seconds! If you have a lot of users accessing this information you'll want to do this as a scheduled search. Just be sure to change the permissions on the lookup file so intended users can access it.

Comments

2 total

YI
YiHu
11/23/2021

Thank you for making me suddenly enlightened!

YI
YiHu
11/23/2021

stats count as 访问次数 sum(bytes) as t1 first(Country) as 国家 by clientip | eval 流量=round(t1/1048576,2) \r\nI suggest that the bytes be calculated separately, which is more accurate. Thank you again.

Leave a comment

You must log in to post a comment.

Ad slot: bottom