Filtering by Client IP
Is there a way to filter the purepaths by Client IP address? It seems that it is not an option when selecting the Web Request tab under Filters.
I only see the options of URI and Query under WebRequest.
Thanks
Ty
i am still stuck with creating a simple business transaction based on client ip passed in the purepath information (we do not have UEM activated yet).
could you please describe a way how to create a business transaction which is filtering for all client IPs and their count by time?
Thanks
Hi Edwin,
If you use the Server Side Performance - Transaction Based Measures - Business Transaction Evaluation/Filter/Splitting Values - Web Requests - Client IP measure you should not require UEM to be activated.
Filtering for all client IPs - do you mean you want the BT to split by client IP and show a count for each unique IP address? Doing that will result in potentially very large number of splittings, so when you do that make sure you are not storing that BT in the performance warehouse!
Best, Roman
hi Roman,
"do you mean you want the BT to split by client IP and show a count for each unique IP address?"
exactly this is what i would like to achieve to better understand potential bruteforce attacks against certain login forms and to analyse from which client IPs we are facing an abnormal high request count.
kr, edwin
Ok, then you just need one split criteria - the client IP.
Should look like this (you will need to create the measure Server Side Performance - Transaction Based Measures - Business Transaction Evaluation/Filter/Splitting Values - Web Requests - Client IP first):
Make sure you are not storing this in the performance warehouse and you select no restrictions - up to 50k that should give you what you are looking for.
If you want to do this long term or have a larger number of unique IPs I would consider using the BT export feature and do the counting externally.
Best, Roman
Very useful, we get hit by some AV software checking us out, this piece allowed me to very quickly set up a BT to capture how often this is happening.
Hi
Another angle to it is that the UEM IP will give the IP of the user, that will be an internal adress from the LAN.
The Web Request IP will be the IP adress of the device communicating with the web server, typically a Firewall.
The first (UEM) IP doesn't have to be unique as most corporation use private adress space internally and hence the same IP can belong to two different people (adress usually swapped in the Firewall) while people acessing from home or from mobile devices will have a uniques adress.
The second (Web Request) doesn't have to be a uniques adress either since people accessing from within the same corporation will most likely pass through the same Firewall that most of the time uses NAT (Network Adress Transalation) and look like the same IP adress from the Web servers perspective. Of course the IP can be correlated with other identifiers to make certain whether they are unique or not.
What is the difference between these two masures:
1) UEM - Visits - IP Adress meaure
2) Server Side Perormance - We Requests - Client IP
I'm trying to filter by IP Address of users to my web site.
Thanks!!
Eric
1) This is a measure on the whole visit, giving you the IP address this user came from. Obviously it is only available if you have UEM enabled. Use this is your BT is based on visits (e.g. filtering out all visits from a certain IP)
2) This is the IP address that we capture from the incoming web request on the web or app server tier. Use this if you BT is based on PurePaths.
Best, Roman
What do you mean by 'use this if your BT is based on PurePaths'?
Does a visit not start a purepath? I suppose I'm expecting both 1 and 2 to lead to the same result; I probably don't understand how visits differ from PurePaths.
Thanks,
Eric
Both measures you showed in your screenshot are used as filter/splitting criteria for business transactions (BT). As a BT can be based on visits, page actions or PPs we have different measure that get you the IP for the visit or single PPs.
Each visits consists of 1 or multiple page actions, which in turn can consists of multiple PPs. Take a look at the documentation for a more detailed explanation of the underlying concepts of UEM: https://apmcommunity.compuware.com/community/display/DOCDT50/User+Experience+Management#UserExperienceManagement-Visits
Best, Roman
Roman, Thank you for answering!
What I'm hoping to do is filter for one specific IP address so that I can track what a specifc user is doing.
Would I be better served via UEM or SSP?
Thank you!!
Eric
If your use case is to figure out what a user is doing you could just directly use the complaint resolution feature of dynaTrace. Just go to Edit - Search and you should be able to search for the visits by IP, date, location and other parameters.
Of course pre-requisite is that you have UEM enabled, if you do not have it the only way is a business transaction that groups the server-side PurePaths by the IP and use that as a starting point.
Best, Roman
Hello,
I think the only solution would be to (ab)use business transactions for this: Create a business transaction either with a filter matching the specified IP or which groups by IP address. Then, you can use this business transaction as a filter criterion in your dashlets/dashboards. Make sure that the business transaction result measures are not written to the repository (they are just used to "flag" PurePaths). Note that this will only work with newly arriving paths or after you re-analyzed the session.
Update: I just realized: Of course you can also use the Business Transaction dashlet to show PurePaths matching the IP and then drill down to other dashlets.
Günther
