Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

captures users sum by url by date

sdagostino
Engager
‎05-27-2010 06:03 PM

I need to add something to the following search string (or rewrite it) that captures the following;

  1. User
  2. Destination URL
  3. Number of times the user accessed the Destination URL per day
  4. total number of hits to the Destination URL.

This search string

host="192.168.105.25" Prism http://DCSPRSAPPTS01.chpnet.org:80//Citrix/MetaFrame action="POST"| stats count by user, dest_url

Generates the following results

user     dest_url                                                               Count
phtwe    http://DCSPRSAPPTS01.chpnet.org:80//Citrix/MetaFrame/auth/login.aspx   99 
nkhan    http://DCSPRSAPPTS01.chpnet.org:80//Citrix/MetaFrame/auth/login.aspx   83
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-06-2010 10:06 PM

Do you just want the equivalent of:

 ... | bucket _time span=1d | stats count by _time,user,dest_url

Seems to me that's it. If you want the total for each URL, you can get it by adding:

 ... | eventstats sum(count) as total_count by _time,dest_url

or there is a trick you can do by creating a multivalued field:

... | eval user=user+";"+"*" | eval user=split(user,";") | bucket _time span=1d | stats count by _time,user,dest_url

which will put the total count as the * user. You can use any value besides * if it doesn't conflict with a real user name.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-06-2010 07:03 PM

Note: I just improved the formatting of the question so its more readable now.

0 Karma
Reply

Lowell
Super Champion
‎06-03-2010 07:01 PM

Still not sure what your are really asking here, but perhaps the following question/answer would be helpful to you. You both seem to be looking at Citrix/MetaFrame POST events:

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-28-2010 05:27 PM

I'm still confused. I think you should supply some sample events and clarify exactly what you need to do functionally.

0 Karma
Reply

Lowell
Super Champion
‎05-27-2010 06:51 PM

By "string", do you mean "search string"? Can you provide a sample event or two. I assume your are looking at some kind of http access log? Is this correct? (Please edit your question and provide some additional details.)

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎05-27-2010 06:27 PM

Can you clarify what you want to get the sum of?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...