Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional add-on’s or TA’s are required. I replaced my index with index=* so it’ll work out of the box. You’ll want to change this to your index for best practices. *UPDATE – 2019/05/29* […]
Apache High Level Visitor Info
The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.
|
1 2 3 4 5 6 7 |
sourcetype=access_combined (referer_domain!="https://gosplunk.com" AND referer_domain!="http://gosplunk.com") | iplocation clientip | stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count as Views first(referer_domain) as Referer_Domain first(uri) as Landing_Page by clientip | eval diff_time_days=round((Last_Visit-First_Visit)/60/60/24, 6) | convert ctime(First_Visit) ctime(Last_Visit) | fields clientip Country First_Visit Last_Visit diff_time_days MB Views Referer_Domain Landing_Page | fillnull value="0" |
This will return something like the following: If you want to run this as a scheduled search, which I advise doing […]
Direct and Referred Apache Web Traffic
The following query will show all traffic to an Apache web server that is direct, meaning no referring site.
|
1 |
sourcetype="access_combined" referer="-" | stats count |
The following query will show all traffic that is NOT direct, meaning only referring sites.
|
1 |
sourcetype="access_combined" referer!="-" | stats count |
The following query is the same as above, but with a timechart spanning 1 day.
|
1 |
sourcetype="access_combined" referer="-" | timechart span=1d count |
The following Query […]
Concurrent Users on Apache Web
I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods. Option 1 – Short time window (30 days or less) concurrent users for a span of 5 minutes.
|
1 2 |
sourcetype="access_combined" | timechart span=5m dc(clientip) as "Concurrent Users" |
Option 2 – Longer time window (Greater than 30 days, […]
