Reporting

Url report with user browsing time and number of bytes used

ronaldlb
Explorer

Hi I have tried everything but I end with either with user name and website or website with number of counts and bytes. What I am looking for is getting user name with what sites have been visited by the user and how much time spent on each site. Then next when drilled down I would like to see how much bytes where used on the website and how much time was spent. I know there is a way but I am lost please any help with this I would really appreciate. I have tried using the | stats count by user gives me a list and have tired this as well sourcetype="pan_threat" url=* | transaction maxspan=1h maxpause=30m fields=src_ip but it will not give me the report that I am looking for .

0 Karma

btorresgil
Builder

Hello, you can do this several ways, but here's one suggestion:

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This results in a table where the columns are the User, the FQDN they are accessing, the bytes for that User/FQDN combination, and the duration for that User/FQDN combination.

bsachitano
Explorer

ronaldlb, any success with this?

0 Karma

ronaldlb
Explorer

Thank Btorresgil for the answer this works but I am not get the bytes and duration and the username is not grouped with the number of url visited it is one url per line with the same user. Am i missing something please advice many thanks.

0 Karma

ronaldlb
Explorer

So when I do this I get the users with the websites visited and the total bytes used .But what I am looking for is users grouped with urls that is fone but number of bytes used by the website and time spent on the website by user.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype, values(dst_hostname) as hostname , sum(bytes) as bytes by user | search sourcetype="pan_threat" | table user hostname bytes

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...