Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help in stats for value-to-multivalue relationship in output

wrangler2x
Motivator
‎03-19-2013 08:52 AM

My Search:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats min(timestamp) as firstTime, max(timestamp) as lastTime by user action info

Some sample output:

        user    action                  info    firstTime               lastTime
1       xyzy    edit_user               granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
2       xyzy    rest_properties_get     granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
3       xyzy    rtsearch                granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
4       xyzy    search                  granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784

I'd like the user To appear once, with the remaining fields appearing as multi-values to that user so that the user (xyzy) does not appear on every line. I've tried a bunch of ways to do it, and just can't seem to make it work.

The basic idea of this search is to show me who was (or is) using splunkweb in the timeframe specified. That part seems to work nicely.

So what I would like it to look like is this:

No one is answering this so maybe my explanation of what I am trying to do is not clear. The search I am showing will work on any splunk installation, and you'd get results similar to what I showed above. But what I want it to look like is this:

  user  action                  info    firstTime               lastTime
1 xyzy  edit_user               granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
        rest_properties_get     granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
        rtsearch                granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
        search                  granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎03-25-2013 04:03 PM

I figured out how to do it.

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Here is a sample display:

   user         Action   Info           lastTime                firstTime
1  atloren      rtsearch granted        03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
                search                      
2  depecio      rtsearch granted        03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
                search              
3  echi         search   granted        03-25-2013 15:59:31.059 03-25-2013 15:00:06.320

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎03-25-2013 04:03 PM

I figured out how to do it.

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:

index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user

Here is a sample display:

   user         Action   Info           lastTime                firstTime
1  atloren      rtsearch granted        03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
                search                      
2  depecio      rtsearch granted        03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
                search              
3  echi         search   granted        03-25-2013 15:59:31.059 03-25-2013 15:00:06.320
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...