Hi,
I'm using splunk for caching the log and reporting, now I need to query in splunk for user action and generate a report. My case will be showed as following
I had several events in a log like :
e1: [email1@test.com] Login system with username:email1
e2: [email1@test.com] Read articleId:art1
e3: [email1@test.com] Read articleId:art2
e4: [anotheremail1@test.com] Login system with username:email2
Now I want to list all actions made by user who read article with articleId is art1. Which search statement can help me?
Best case: extract the fields for email, action and article. Then your search will look like this:
yoursearchhere [ search action=Read article="art1" | dedup email | fields email ]
If you must create the fields on-the-fly, the search becomes much more complex:
yoursearchhere [ search yousearchhere "art1"
| rex "\[(?<email>\S+@\S+)\]\s(?<action>\S+)\s.*?\:(?<article>.*)"
| search action=Read article=art1 | dedup email | fields email ]
You might want to read the documentation on creating field extractions.
Try below query. Replace "email" with sourcetype of yours:-
sourcetype=email | rex "\[(?P<User>[^@]+)" | search [search sourcetype=email | rex "\[(?P<User>[^@]+)" | rex "\] (?P<Action>[^:]+):(?P<Item>.+)"| table _raw, User, Action,Item | where Action="Read articleId" AND Item="art1"| table User]
What is your source/log file name? instead of "sourcetype=email", use "source=<
I used your query and always returns no result for that
Sorry for type. I mean to say that replace "sourcetype=email" with whatever sourcetype you're using. Updated the answer now.
Hi @somesoni2, what you mean about sourcetype
command in your query?