Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hi all,I'm pretty new to splunk and having my hands on it. My question is what query is used to get the data of specifuic user.

sujith0311
New Member
‎01-27-2017 07:13 AM

Hi all,I'm pretty new to splunk and having my hands on it. My question is , I have a index=sftp and user as some xyz. I tried many queries to get an output where i can see the user filename,upload,upload by, upload time, download , download by and download time. So what is the query that i can use to get all this. Any suggestions on it or any documentation that I need to follow to get this result.

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎01-27-2017 07:43 AM

it depends on how you want the output as. The raw events can be fetched by putting _raw
If you want to extract certain fields only, you can do something like

index=sftp user=xyz  | table filename,upload,upload_by, download

The key documents I would follow as a newbie are
- http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
- http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

0 Karma
Reply

sujith0311
New Member
‎01-27-2017 08:06 AM

Thank you for your quick reply koshyk. What i'm trying to do is when i give input as index=sftp USER=gradydftsftp and it give output as
Jan 27 10:15:01 wmcloudsftp internal-sftp[9055]: session closed for local user gradydftsftpdata.
Jan 27 09:15:03 wmcloudsftp internal-sftp[4534]: session closed for local user gradydftsftpdata

So my question is how can i create a dashboard with a query which displays file name ,uploadby,uploadtime,download,downloadby and download time.

Filename is something like (9055)
uploadby is gradydftsftp
uploadtime is 09:15:03

0 Karma
Reply

koshyk
Super Champion
‎02-09-2017 07:29 AM

Depending on what field you want, you can create any dashboard
eg for a timechart based dashboard

index=sftp user=xyz | timechart count

and look into the visualization tab. You can select appropriate chart & format. Then You can then click on the "Save As" and put that as a dashboard.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...