Hi Matt,
Sorry, I missed your second question last week.
To log one entry per client IP per day, you'd need to track whether you've logged already. Here are a few options I can think of:
- If your clients generally support cookies, you could try setting a cookie which expires in 24 hours or at midnight your time. The downside to this is that you'd log every HTTP request for clients who don't support cookies.
- You could try to track each unique client IP per day in a memory subtable on LTM. The downside to this is that you could use up a lot of LTM memory just for this logging.
- You could log everything but not to the local LTM filesystem. On 9.4.x, your most efficient option would be to use the log command with a remote syslog server:
From: http://devcentral.f5.com/wiki/iRules.log.ashx
log < remote_ip>:< remote_port> < facility>.< level>] < message>
With this option, you could run the syslog server on the SQL server, parse the syslog messages from a file to a SQL table, parse the unique IPs per day and then run your IP lookup only once per IP.
In v10.1 - 10.2.x, you can use High Speed Logging to do this even more efficiently: http://devcentral.f5.com/wiki/iRules.hsl.ashx
In v11, you can use a new logging profile to configure this via the GUI. You can check the WA implementation guide for details on this (the info is valid for LTM as well): http://support.f5.com/content/kb/en-us/products/wa/manuals/product/wa_implementations_11_0_0/_jcr_content/pdfAttach/download/file.res/wa_implementations_11_0_0.pdf
I think the last option is the best from an LTM perspective as it offloads all of the logic for what to log and parse to a separate host. If you want details on any of these approaches let me know and I can provide some more info.
Aaron