Skip to main content
Splunk Lantern

HTTP GET requests

You are concerned that users on your network might accidentally download content from the internet that poses a threat. You've already done some investigating into anomalous domains and have picked a user whose activity you are most concerned about. Now you want to focus just on HTTP GET requests initiated by that user.

Required data

Web server data


This sample search uses Stream HTTP data. You can replace this source with any other web server data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range. 

sourcetype=stream:http src_ip=<IP address sending the request> dest_ip!=<IP address sending the request> http_method=GET
|table src_ip dest_ip bytes_in bytes_out site uri

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Stream http data.

src_ip=<IP address sending the request> 

Search data coming from this IP address.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 


(src="" OR src_ip="")


(src="" OR src="")

dest_ip!=<IP address sending the request> 

Exclude results where the destination IP address is the same as the source IP address.


Search for a request to retrieve data.

|table src_ip dest_ip bytes_in bytes_out site uri

Display the results in a table with the columns in the order shown.

Next steps

You can filter out URIs that you know to be safe and investigate unusual ones further. If you already have information about bytes in and bytes out on your network, you can calculate statistics to show whether any of the GET requests are outliers.  

Finally, you might be interested in other processes associated with these use cases: