How to edit my search to display a table of user I...

ronj_clark · ‎04-06-2016

I have a search that searches for source IP addresses that hit a specific site. Then takes the source IP and “appends” that to the main search. I can get this to work producing raw data entries, but I want a table with the user ID and the IP address.

This produces raw events:

index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*"  cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | fields src | dedup src ]

So where would the table statement go? I have tried at the very end outside the brackets, and before the opening bracket. None worked.

somesoni2 · ‎04-06-2016

The syntax that you've here is not for appending the src to main search, but it is to filter the result from the main search so that only the matching src (I believe your main search also has a field called src) raw events are kept.

If above does give you the data you need, add the table to the end of the search. Note that you can only select the fields which are available in the main search.

index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*"  cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | stats count by src | fields src ] | table src userfieldname

How to edit my search to display a table of user IDs and IP addresses?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms