Apache Traffic Dashboard

Description: The following Dashboard is what I use to monitor traffic to GoSplunk. It uses the built in sourcetype of access_combined. No additional add-on’s or TA’s are required. I replaced my index with index=* so it’ll work out of the box. You’ll want to change this to your index for best practices. *UPDATE – 2019/05/29* […]

Continue Reading →

Apache High Level Visitor Info

The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below. sourcetype=access_combined (referer_domain!=”https://gosplunk.com” AND referer_domain!=”http://gosplunk.com”) | iplocation clientip | stats first(_time) as First_Visit latest(_time) as Last_Visit sum(eval(round(bytes/1024/1024,2))) as MB first(Country) as Country count […]

Continue Reading →

Direct and Referred Apache Web Traffic

The following query will show all traffic to an Apache web server that is direct, meaning no referring site. sourcetype=”access_combined” referer=”-” | stats count The following query will show all traffic that is NOT direct, meaning only referring sites. sourcetype=”access_combined” referer!=”-” | stats count The following query is the same as above, but with a […]

Continue Reading →

Concurrent Users on Apache Web

I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods. Option 1 – Short time window (30 days or less) concurrent users for a span of 5 minutes. sourcetype=”access_combined” | timechart span=5m dc(clientip) as “Concurrent Users” Option 2 – […]

Continue Reading →