My Search:
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats min(timestamp) as firstTime, max(timestamp) as lastTime by user action info
Some sample output:
user action info firstTime lastTime
1 xyzy edit_user granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
2 xyzy rest_properties_get granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
3 xyzy rtsearch granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
4 xyzy search granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784
I'd like the user To appear once, with the remaining fields appearing as multi-values to that user so that the user (xyzy) does not appear on every line. I've tried a bunch of ways to do it, and just can't seem to make it work.
The basic idea of this search is to show me who was (or is) using splunkweb in the timeframe specified. That part seems to work nicely.
So what I would like it to look like is this:
No one is answering this so maybe my explanation of what I am trying to do is not clear. The search I am showing will work on any splunk installation, and you'd get results similar to what I showed above. But what I want it to look like is this:
user action info firstTime lastTime
1 xyzy edit_user granted 03-18-2013 16:06:48.631 03-18-2013 16:06:55.144
rest_properties_get granted 03-18-2013 16:06:45.905 03-18-2013 16:22:18.791
rtsearch granted 03-18-2013 16:07:41.107 03-18-2013 16:07:41.932
search granted 03-18-2013 16:00:09.230 03-18-2013 16:22:18.784
I figured out how to do it.
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
Here is a sample display:
user Action Info lastTime firstTime
1 atloren rtsearch granted 03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
search
2 depecio rtsearch granted 03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
search
3 echi search granted 03-25-2013 15:59:31.059 03-25-2013 15:00:06.320
I figured out how to do it.
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
And since I am mainly interested to see if someone is actively searching before I contemplate doing a splunk restart splunkd, I modified that a bit more:
index="_audit" [search index=_internal source="*web_access.log" user!="-" | stats by user | fields user] | search action="search" OR action="rtsearch" | stats values(action) as Action, values(info) as Info, max(timestamp) as lastTime, min(timestamp) as firstTime by user
Here is a sample display:
user Action Info lastTime firstTime
1 atloren rtsearch granted 03-25-2013 15:59:39.766 03-25-2013 15:00:18.739
search
2 depecio rtsearch granted 03-25-2013 15:59:39.319 03-25-2013 15:00:00.257
search
3 echi search granted 03-25-2013 15:59:31.059 03-25-2013 15:00:06.320