Splunk Search

How to create a table that will identify student IDs that visit pages outside of what they regularly access?

pavanae
Builder

Hi I have a Splunk search as below :

My Search| where date_hour>=19 OR date_hour<7| bin span=1h _time | convert ctime(_time) as Date_and_Time | stats values(page) as page_accessed by user_id| sort-count | head 5 |rename user_id AS Student_id |

Which displays the result as follows :

Student_id                                           page_accessed

A1234                                                HomePage
                                                     SemesterReport

B5678                                                HomePage
                                                     Course_Structure
                                                     Syllabus

A5678                                                Attendance
                                                     HomePage    

B1234                                                CourseStructure

So, now I want to display only the Student_id's who are visiting pages outside of what they regularly access, is it possible to identify that in Splunk?

For example, consider Student id "A1234": Daily he used to access the HomePage, SemesterReport but yesterday he is accessing the CourseStructure Page. I want to see his student-id and what he visited other than what he regularly visited as next the panel.

0 Karma
1 Solution

niketn
Legend

Following will give you count of various pages accessed for the list of all users. Lower count implies rarely accessed.

your base search
| chart count over user_id by page | rename count as page_accessed  

Similarly, you can also reverser user_id and page field as per your need, which will give you a list of all pages and users count for those who accessed the same.

your base search
| chart count over page by user_id |  rename count as page_accessed  

While above is statistical function to get data for user logins. What you really want is to detect outliers in user access. Refer to Splunk Machine Learning Toolkit app which has Showcase example to "Detect Outliers in Number of Logins (vs. Predicted Value)"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

Following will give you count of various pages accessed for the list of all users. Lower count implies rarely accessed.

your base search
| chart count over user_id by page | rename count as page_accessed  

Similarly, you can also reverser user_id and page field as per your need, which will give you a list of all pages and users count for those who accessed the same.

your base search
| chart count over page by user_id |  rename count as page_accessed  

While above is statistical function to get data for user logins. What you really want is to detect outliers in user access. Refer to Splunk Machine Learning Toolkit app which has Showcase example to "Detect Outliers in Number of Logins (vs. Predicted Value)"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...