I'm trying to create a report that will show me users who accessed a website (linkedin.com) . Fairly straight forward, but I am not the best dashboard / report creator. Using what I have from our enterprise security suite this is my search thus far.
| tstats `summariesonly` max(_time) as _time,values(Web.http_method) as http_method,values(Web.status) as status,count from datamodel=Web.Web where * (Web.dest="www.linkedin.com") by Web.src,Web.dest,Web.url | `drop_dm_object_name("Web")` | sort - count | fields _time,http_method,status,src,dest,url,count
hello there,
this seems like a wide open question. here is how i would approach it and hopefully it will help you focus a little bit.
first i recommend to ask yourself (or whoever will use the dashboard / report), "what is it that you would like to see?"
then i will probably whiteboard it or a quick napkin drawing, example:
timechart with count of hits over time, pie chart with top users hitting it, and a single value representing unique users hitting linkedin.
now i will try to create the right searches in regular SPL (no | tstats or data models).
when satisfied with results and how it looks, will translate it to | tstats format
hope it helps