Solved: How to display individual URI counts by user with ...

Aaron_Fogarty · ‎06-24-2016

I am looking to display individual URI count by User on a timechart. Is this possible?

My current search returns the monthly total Accesses by User. I would like to see the monthly Access count of each URI by User

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| timechart span=1mon count by Name limit=0

If this is not possible on a timechart, can it be done in a statistics chart?

somesoni2 · ‎06-24-2016

Depends upon how many unique combinations you've for Name and URI, try this

For smaller number- timechart

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | timechart span=1mon count by Name limit=0

Stats

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | bucket span=1mon _time | stats count by _time Name URI

View solution in original post

Aaron_Fogarty · ‎06-27-2016

Thanks for your help guys, much appreciated.

woodcock · ‎06-24-2016

Like this:

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| eval URI_and_User = URI . "::" . User | timechart span=1mon count BY URI_and_User limit=0

Because timechart can only breakout a single BY field, we are combining 2 fields into 1 and breaking out BY that one.

sundareshr · ‎06-24-2016

Try this

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| bin span=1mon _time as time | eval t=time."#".uri | chart count over t by Name | rex field=t (?<Time>[^#]+)#(?<URI>.*)" | eval Time=strftime(Time, "%x %X")

somesoni2 · ‎06-24-2016

Depends upon how many unique combinations you've for Name and URI, try this

For smaller number- timechart

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | timechart span=1mon count by Name limit=0

Stats

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | bucket span=1mon _time | stats count by _time Name URI

How to display individual URI counts by user with timechart or stats?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...