The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.
|
1 2 3 4 5 6 7 |
sourcetype=access_combined (referer_domain!="https://gosplunk.com" AND referer_domain!="http://gosplunk.com") | iplocation clientip | stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count as Views first(referer_domain) as Referer_Domain first(uri) as Landing_Page by clientip | eval diff_time_days=round((Last_Visit-First_Visit)/60/60/24, 6) | convert ctime(First_Visit) ctime(Last_Visit) | fields clientip Country First_Visit Last_Visit diff_time_days MB Views Referer_Domain Landing_Page | fillnull value="0" |
This will return something like the following: If you want to run this as a scheduled search, which I advise doing […]
