Splunk Search

User data collapsed with activity information collected in separate statements

sureshchinta
Explorer

My app writes two log statements, audit and activity statement, for each invocation as below:

audit:
type:audit | tid:123 | userid:abc

activity:
type:activity | tid:123 | action:login

Need is to get a sense of what the user has done by displaying the userid and collapsing the action into a table.

What I tried so far is to define a transaction on audit log and collapsed all tid for a given user which displays data as below:

userid | tid

abc | 123
| 345

| 876

xyz | 793
| 438

How to show action values from activity instead of tid ?

Tags (2)
0 Karma

sundareshr
Legend

Try this (assuming all fields have been extracted)

index=webapp host=pxdtp00* (audit* OR activity*) | rex "(?<Action>audit|activity)"  | stats values(Action) as Action by UserId TxnId | mvexpand Action

UPDATED to include field extraction

0 Karma

sundareshr
Legend

Try the updated query. I modified it to include field extraction.

0 Karma

sureshchinta
Explorer

This query is getting results as wanted.

index=webapp host=host* AND IntegrationFrameworkV01 AND audit* |  dedup TxnId | table UserId TxnId | join TxnId [search index=webapp host=host* AND IntegrationFrameworkV01 AND client:* | eval Date_Time = strftime(_time, "%m/%d/%y %H:%M:%S")  | stats values(Action) as Action sum(eval(ReqLatency + AppLatency + ResLatency)) as Latency by TxnId HttpCode Date_Time  ]  | stats list(Action) as Action list(Latency) as Latency list(HttpCode) as HttpCode list(Date_Time) as DateTIme by UserId  | table UserId Action DateTIme Latency HttpCode

Job indicates,

'stats' command: limit for values of field 'DP_IF_Action' reached. Some values may have been truncated or ignored.

How to stop truncating results ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your current search statement?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshchinta
Explorer
index=webapp host=pxdtp00* AND audit* | transaction UserId | table UserId TxnId | join TxnId [search index=webapp host=pxdtp00* activity* | stats Action by TxnId ] | table UserId Action TxnId

search before join collapses all txnId fields for a given user. Next search is not able to complement action into the mix.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...