Re: How can I track employees' website usage?

jVolpi · ‎07-05-2016

Hello

My firm currently has the dashboard below that shows top employees utilization and top sites visited.
I am looking for a way to query how may times a person has or remote office has hit a certain site and how much utilization it is using.

index="istr_security" sourcetype=bcoat_proxysg 10.X.X.  | rex field=_raw "^\S+ \S+ \S+ (?\S+)"   | rex field=_raw "(?[a-z]+://(?[^:/]+)\S+) (?\d+)"   | rex field=fqdn "(?[^.]+\.[^.]+)$"   | rex field=_raw "(?\d+) (?\d+) (?\d+)"   | eval server_mbytes=round(server_bytes/1000000,2)    | eval duration_secs=round(duration_msecs/1000,2)    | timechart useother=0 sum(server_mbytes) by corpid

Thank you

sundareshr · ‎07-05-2016

Try this

index="istr_security" sourcetype=bcoat_proxysg 10.X.X. "*certainsite.com"| rex field=_raw "^\S+ \S+ \S+ (?\S+)" | rex field=_raw "(?[a-z]+://(?[^:/]+)\S+) (?\d+)" | rex field=fqdn "(?[^.]+.[^.]+)$" | rex field=_raw "(?\d+) (?\d+) (?\d+)" | eval server_mbytes=round(server_bytes/1000000,2) | eval duration_secs=round(duration_msecs/1000,2) | stats count sum(server_mbytes) as mbytes by corpid

jVolpi · ‎07-06-2016

Thank you. I tried to copy and paste this into the code field and tweaked the IP to reflect our proxy server and seem to run into a snag.

Error in 'rex' command: Encountered the following error while compiling the regex '^\S+ \S+ \S+ (?\S+)': Regex: unrecognized character after (? or (?-

How can I track employees' website usage?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?