Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help in stats for value-to-multivalue relationship in output

wrangler2x
Motivator
‎03-19-2013 08:52 AM

My Search:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats min(timestamp) as firstTime, max(timestamp) as lastTime by user action info

Some sample output:

        user    action                  info    firstTime               lastTime
1       xyzy    edit_user               granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
2       xyzy    rest_properties_get     granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
3       xyzy    rtsearch                granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
4       xyzy    search                  granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784

I'd like the user To appear once, with the remaining fields appearing as multi-values to that user so that the user (xyzy) does not appear on every line. I've tried a bunch of ways to do it, and just can't seem to make it work.

The basic idea of this search is to show me who was (or is) using splunkweb in the timeframe specified. That part seems to work nicely.

So what I would like it to look like is this:

No one is answering this so maybe my explanation of what I am trying to do is not clear. The search I am showing will work on any splunk installation, and you'd get results similar to what I showed above. But what I want it to look like is this:

  user  action                  info    firstTime               lastTime
1 xyzy  edit_user               granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
        rest_properties_get     granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
        rtsearch                granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
        search                  granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎03-25-2013 04:03 PM

I figured out how to do it.

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Here is a sample display:

   user         Action   Info           lastTime                firstTime
1  atloren      rtsearch granted        03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
                search                      
2  depecio      rtsearch granted        03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
                search              
3  echi         search   granted        03-25-2013 15:59:31.059 03-25-2013 15:00:06.320

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎03-25-2013 04:03 PM

I figured out how to do it.

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Here is a sample display:

   user         Action   Info           lastTime                firstTime
1  atloren      rtsearch granted        03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
                search                      
2  depecio      rtsearch granted        03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
                search              
3  echi         search   granted        03-25-2013 15:59:31.059 03-25-2013 15:00:06.320
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...