Splunk Search

How do I add an additional search condition to my table?

elijahm
Explorer

index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out"
| rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*"
| eval _time=strptime(time,"%a %b %d %H:%M:%S")
| fields - _raw time
| stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip
| eval duration=(latestTime-_time)
| fields - latestTime
| search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes

The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.

If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!
index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f

Tags (1)
0 Karma

ansusabu
Communicator

You can use 'join' command if you want to retrieve the list of users for the mac addresses which you have obtained. OR you can use 'appendcols' if both queries are not related .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try adding this to the end of your query:

| bucket span=1d _time | stats count values(*) as * by macaddress | where count > 1
---
If this reply helps you, Karma would be appreciated.
0 Karma

elijahm
Explorer

It makes my table return only 1 statistic with the macaddresses column empty and the other columns listing its elements in the one statistic so i can't tell what information is correlated to which user.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The macaddress field would be empty only if none of the events have a value for that column by the time the stats command runs. What do your results look like before the bucket command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...