Reporting

How can I generate a report on a weekly basis for the previous week broken down by day?

SplunkLunk
Path Finder

Greetings,

I want to search for five or more times a person views a PDF document in an application over the course of one day. Then, once a week I want to send all the events for that week to the application admins so they can investigate why a user(s) might be viewing so many PDFs in a day (the PDF has sensitive data). My current search looks like this for the last 24 hours:

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
|eventstats  count as Count values("PROCESS_TYPE") as "Process Type" by "USERS_NAME"
|where Count > 4
|table Time,"User ID", "Case ID", "User's Name", "Process Area", "Process Table", "Process Type", "Process Description",
|sort "User's Name"
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

The admins don't want the report each day, but they want a breakdown by day every week. Thanks for any advice anyone can provide.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

This updated solution assumes that _time is present on each record in epoch format.

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin _time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

This solution assumes that Time is in epoch time format. Just run it once a week, and bin the days before the eventstats...

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin Time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This updated solution assumes that _time is present on each record in epoch format.

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin _time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

This solution assumes that Time is in epoch time format. Just run it once a week, and bin the days before the eventstats...

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin Time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time
0 Karma

SplunkLunk
Path Finder

That doesn't really do what I need it to do. It looks like that ends up showing events greater than 4 across the entire span of seven days. So "Molly" had 6 events over 7 days, but only 2 on Monday, 2 on Wed., and 2 on Thursday. I need to generate a report over 7 days of people that only had 5 or greater "views" on one day. So the report would show activity for all seven days, but only list "Molly" if she had > 5 views on Monday, "Kelly" if she had > 5 views on Wed., etc. Is this possible?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@SplunkLunk - then Time must not be present on each record in epoch time format, or Day would be calculated correctly and the Count would be restricted by Day. Updated code to use _time instead.

0 Karma

SplunkLunk
Path Finder

Thanks. That looks like it worked. Much appreciated!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...