Hi all,
I am mainly asking this here as it's a little past my knowledge with Splunk.
Basically, I'm after a way of combining the results from two field extractions into one.
This is my scenario.
I have an index="my_index"
It contains log data entirely in the same format that dates back over 2 years, quite a lot of data around 1GB per day for the past 2 years.
Now the data is basically just from our "firewalls" can contains a few "important" fields.
The important stuff, per event.
Datestamp, Username, url_host.
I will explain these for you:
Datestamp is obvious.
Username is the user going through the firewall, this is captured via a custom field extraction.
url_host is again a custom extraction, it nabs just the domain that was hit from the URL string.
Now the difficult part, as you should (unless I am wrong) be aware, a field extraction needs to be linked to one of these: a source, a host or a source-type.
I have an issue with this, my index has multiple hosts, multiple source types (every day) and the source-type was modified several times throughout the life of the data due to problems we were experiencing with other fields (not related to this).
My problem is I want to run the following search:
index="my_index" username="someuser" | stats count by url_host
In other words, print me a list of all the sites (domains) this user connected to and the number of times they connected to each.
However, since the data has no common host, source or source-type I can only get results for a single host, or single source, or single source-type... which is pretty useless to me.
Is there anyway of overcoming this?
First thoughts would be...
Link a field extraction to an index?
Or create a search that combines the counts per url_host from two different url_host based extractions...?
Eg. final_url_host = count of url_host_01 + count of url_host_02???
Help me please my brain is hurting! lol
Aaron.
... View more