📊 Splunk Dashboard for Web Traffic Logs

📌 Project Overview

This project demonstrates the creation of an interactive Splunk dashboard to analyze Apache Web Traffic Logs in JSON format.
The dashboard provides real-time insights into web activity, error trends, top resources, user IPs, and geographic traffic distribution.

It is designed for web monitoring, security analysis, and performance troubleshooting.

---

🎯 Objectives

• Analyze overall web traffic volume
• Monitor successful and failed HTTP responses
• Identify top requested URIs
• Track top users by IP address
• Visualize web traffic geographically using a Choropleth Map

---

🛠️ Tech Stack

• Splunk Enterprise
• Apache Web Access Logs (JSON format)
• SPL (Search Processing Language)

---

📂 Dataset Details

• Source: apache_mixed_access_full (1).json
• Host: webserver
• Sourcetype: _json
• Key Fields:
  • ip
  • method
  • uri
  • status
  • _time

---

⚙️ Lab Setup & Configuration

1️⃣ Data Ingestion

1. Login to Splunk as Administrator
2. Navigate to:

Settings → Add Data → Upload

3. Upload apache_logs.json

4. Set:

• Source Type: _json
• Host: webserver

5. Review and submit

Verify ingestion:

source="apache_logs.json"

---

📊 Dashboard Creation

Dashboard Details

• Dashboard Name: Web Traffic Logs Dashboard
• Dashboard Type: Classic Dashboard
• Permissions: Private

---

⏱️ Task 0: Time Range Input

A shared time picker is used to ensure consistency across all panels.

• Label: Time Range
• Token: time_range

All panels use the shared time picker token time_range.

---

📈 Task 1: Web Activities

🔹 Total Web Requests

Visualization: Single Value

source="apache_logs.json" host="webserver" sourcetype="_json"
| stats count AS "Total Web Requests"

---

🔹 Successful Responses (200 OK)

Visualization: Single Value

source="apache_mixed_logs.json" host="webserver" sourcetype="_json" method=GET status=200
| stats count AS "Successful Responses"

---

🔹 Client Errors (4xx)

Visualization: Single Value

source="apache_mixed_access_full (1).json" host="webserver" sourcetype="_json"
| where status>=400 AND status<500
| stats count AS "Client Errors"

---

🔹 Server Errors (5xx)

Visualization: Single Value

source="apache_logs.json" host="webserver" sourcetype="_json"
| where status>=500 AND status<600
| stats count AS "Server Errors"

---

📊 Task 2: Web Statistics

🔹 Top Requested URIs

Visualization: Bar Chart

source="apache_logs.json" host="webserver" sourcetype="_json"
| stats count AS Hits by uri
| sort - Hits

---

🔹 Top Users by IP Address

Visualization: Bar Chart

source="apache_logs.json" host="webserver" sourcetype="_json"
| stats count AS Requests by ip
| sort - Requests

---

🌍 Task 3: Web Traffic by Client IP (Geographic View)

🔹 Choropleth Map

Visualization: Choropleth Map

source="apache_mixed_access_full (1).json" host="webserver" sourcetype="_json" method=GET
| table ip
| iplocation ip
| stats count by Country
| geom geo_countries featureIdField="Country"

---

✅ Key Features

• 📊 Real-time traffic monitoring
• 🚨 Error detection (4xx & 5xx)
• 🌐 Geographic traffic visualization
• 🔍 Insight into popular resources and users
• 🔐 Useful for security and anomaly detection

---

📌 Use Cases

• Web server monitoring
• Security analysis
• Traffic trend analysis
• Performance troubleshooting
• Academic and lab submissions

---

🧾 Conclusion

This project delivers a comprehensive Splunk dashboard for analyzing web traffic logs using SPL queries and visual analytics. It enables administrators and security analysts to quickly understand traffic behavior, detect anomalies, and make informed decisions.

---

📚 Future Enhancements

• Add alerts for high error rates
• Time-series trend analysis
• Brute-force or suspicious IP detection
• Integration with SIEM use cases

---