Splunk Search

sort and combine multiple lines if there's no pause

lauj
Observer

Hi, I'm new to Splunk so any help would be greatly appreciated. I'm trying to do two different things, and I'm not quite sure how it's done. I need to be able to do a count of how many times a user made modifications on a specific server, but an hour break between modification is count as a different instance. I also need to be able to sort the data, so it'll show the Location, Server Name, Username, and the count.

I'm able to use the stats count to sort and give me a count of the instance, but I don't know how to combine multiple instances on a specific server by a user if they are not more than 1 hour apart.

Thanks.

Here's what the logs look like:

Security,Sep 3, 2012 8:33:48 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago,        
Security,Sep 12, 2012 10:54:26 AM EDT,  jsmith Security:4624,   192.10.2.59,    printserver, Seattle                
Security,Sep 3, 2012 8:33:47 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago             
Security,Sep 12, 2012 10:54:26 AM EDT,  jsmith Security:4624,   192.10.2.59,    printserver, Seattle
Security,Sep 3, 2012 8:40:48 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago         
Security,Sep 12, 2012 10:59:26 AM EDT,  jsmith Security:4624,   192.10.1.59,    printserver, Seattle                
Security,Sep 3, 2012 8:50:47 PM EDT,    jdoe    Security:4624,  192.10.2.21,    fileserver, Chicago         
Security,Sep 12, 2012 11:02:26 AM EDT,  jsmith Security:4624,   192.10.1.59,    printserver, Seattle    

Here's what I want to be able to see:

Location    User    IP      Date                Count
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:33 PM EDT     2
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:40 PM EDT     1
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:50 PM EDT     1
Chicago     jsmith  192.10.2.59 Sep 12, 2012 10:54 AM EDT   2
Chicago     jsmith  192.10.2.59 Sep 12, 2012 10:59 AM EDT   2
Tags (1)
0 Karma

Ayn
Legend

It definitely sounds like you should be looking into using transaction with the maxpause parameter. It will output the field eventcount that you can use as your count.

... | transaction maxpause=1h Location User IP | eval Count=eventcount | eval Date=_time | table Location User IP Date Count

Ayn
Legend

I'm sorry I don't follow what you want to achieve. Could you please explain it more clearly?

0 Karma

lauj
Observer

I still see a couple of instances where the time is within the maxpause, but it's not combining the count.

Using the the answer provided above, can I use the information from the "Date" field and have splunk combine add a count if the "Date" difference is less then 300. The information display with the "Date" field shows 10 digit number.

0 Karma

kristian_kolb
Ultra Champion

dammit! too fast for me... 🙂

0 Karma

lauj
Observer

I've look at the transaction command, but that didn't seem to be able to what I want.

0 Karma

kristian_kolb
Ultra Champion

please tell us more about the log data in question.

Other than that, have you looked at the transaction command?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...