How To Summary Index Unique Visitor Sessions In II...

john_loch · ‎11-27-2010

I need to update a summary index with Unique IP counts every 5 mins.

What would be the optimal way to check for unique IP's over say -8m@m to -3m@m (ie 5 min period ending 3 mins ago) that don't occur in a 30min window preceding that.

The basic premise is that any activity within the preceding 30 mins indicates a continuing session while absence indicates a new session (if IP appears within the 5 min window).

I'm sure this is covered somewhere from a standard indexing standpoint, but needing to push it into a summary index every 5 mins means I need to be careful about overlaps etc.

Thanks all 🙂

gkanapathy · ‎11-29-2010

I'm not sure exactly what you're trying to count? Is it just "IPs that appear in the last 5 minutes that have also not appeared in the prior 30 minutes (or 25 minutes")"? That is, the number of new visits in the most recent 5 minute window?

The simple way of doing this is:

sourcetype=log earliest=-38m@m latest=-3min@m | stats min(_time) as earliest by ip | where earliest < relative_time(now(),"-8m@m") | stats count

A more efficient way, knowing that you are running this every 5 minutes would be to run a search that built and updated a lookup table with the new IPs seen in the last 5 minutes as it went:

sourcetype=log earliest=-8m@m latest=-3m@m | stats min(_time) as earliest by ip | inputlookup append=t recentips | stats min(_time) as earliest by ip | where earliest > relative_time(now(),"-38m@m") | outputlookup recentips

And to get the number for you more recent 5 minute interval (after the other search has run)

| inputlookup recentips | where earliest > -8m@m | stats count

How To Summary Index Unique Visitor Sessions In IIS Every 5 Mins ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases