Many of our customers love CloudFlare's statistics report because the information available differs from other services providing analytics. One frequent request is that customers would like to be able to look at the individual IP hits coming to their site. This information can be useful if you see a sudden increase in traffic and want more insight into the origin. Ian Pye, CloudFlare's API and reporting guru, created a solution in the CloudFlare API.
How to use the API function to view recent visitor IPs within the past 48 hours:
1. Open Firefox and install the Firefox JSONview addon. We recommend doing the API call in Firefox with the JSONview addon since the data output is easy to read.
2. Get your API key from your CloudFlare account.
3. Get your zone id by clicking on the 'Reports and Stats' option for the domain you want to pull data for. The zone ID is at the end of the url on that page (zid=xxxx).
4. The API values from the Client Interface API are as follows:
[a] = zone_ips [tkn] = Your API Key [email] = firstname.lastname@example.org (use the one associated with your CloudFlare account) [zid] = ID of the zone you would like to check. [hours] = Number of hours to go back. Default is 24, max is 48. [class] = (Optional) Restrict the result set to a given class. Currently r|s|t, for regular, crawler, threat respectively. If you omit this token you will see the results for all visitors. [geo] = (Optional) Include to add longitude and latitude information to the response. 0,0 means no data.
The URL is:
5. So, you are now ready to run the query. Open your Firefox browser, and run the following function, but insert the data from steps 1 through 3 for your particular site:
The variables listed in blue are the ones that you should customize for your particular site.
6. The data output will list the IPs in order from the most number of hits in the selected time period to the least. You will also be able to see the visitor classified by type.
One thing to note is that for Free accounts, you will only be able to see data older than 24 hours. For Pro accounts, you can see data in the last 24 hours as well.
In terms of what you can do with the data, if you see a lot of requests coming a certain IP in a short period of time, you may determine it is an attack. In that case, you should add it to your Block List in your CloudFlare Threat Control panel. By adding the IP to the Block List, the visitor will be stopped from accessing your server reducing your server load.
Have any suggestions for improving the API? Have something cool that you've done with the CloudFlare API that you would like to share with the rest of the community? We'd love to hear about it. Share it with us.