Splunk Search

Join two searches and drilldown

mdavis43
Path Finder

I have two source types, one (A) has Active Directory information, user id, full name, department. The other (B) contains a list of files from the filesystem on our NAS, user ids, file names, sizes, dates.

I want to be able to sort the list (A) of files by a user id, and correlate back to a department (B)

I'd also like to be able to drill down from a column graph, click on user id, see what files and what sizes they have. Any way to do this in Splunk? This is more like business intelligence than simple log searching.

Tags (1)
0 Karma

lguinn2
Legend

Yep, all of this is possible with Splunk. The community could provide a better, clearer answer if you asked a more definite question, but here are some ideas.

First, I would put the AD info into a lookup table. You could update this lookup regularly - you could even update the lookup by running a search.

Then the list of files would be easy to set up as follows:

sourcetype=filelist 
| lookup AD_lookup userId OUTPUT deptName userName
| sort deptName userName fileName
| table deptName userName fileName fileSize lastUpdated

Of course, you might want a completely different report, or a summary report. But once you have the report, you can put it on a dashboard. And from a dashboard, you can customize the drill-down.

Also, remember that Splunk searches data based on a timestamp - all events must have a time (or else Splunk will assign a time). You should consider the time parameters of your search.

The Splunk Tutorial covers everything through creating lookups and building a dashboard. Drill-downs from a dashboard (using simple XML) are discussed in the Dashboards and Visualizations manual. Given both a bit of experience in Splunk and a reasonable knowledge of the data, I would expect that this could be constructed in a few hours at most.

Finally, you might want to pick up a copy of the book Exploring Splunk - which is available as a free ebook or as hardcopy from Amazon or Splunk. This book will give you a lot of ideas about what you can do with Splunk.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...