Two searches combined including transaction

DanielFordWA · ‎05-29-2013

The below gives me the correct number of hits per external user

sourcetype="iis-2" | extract auto=true | search CORE_employee="F*" | stats count(cs_uri_stem) AS Hits by cs_username date | fields date cs_username Hits

The second search below gives me the roughly correct number of visits per user, I need to refine it slightly.

How would I combine the two into one search that would result in a table

date, cs_username, Hits, Visits

wpreston · ‎05-29-2013

I reread your question and updated my search to address request more accurately. One way would be the append command, with some eval and possibly stats usage as well. The key is making each search have the same columns. How about something like this:

sourcetype="iis-2" 
    | extract auto=true 
    | search CORE_employee="F*" 
    | eval Visits=0 
    | stats count(cs_uri_stem) AS "Hits", sum(Visits) as "Visits" by cs_username date 
    | fields date cs_username Hits Visits 
| append [search sourcetype="iis-2" 
    | extract auto=true 
    | search CORE_employee="F*" 
    | transaction cs_username maxspan=30m 
    | eval Hits=0 
    | stats count AS "Visits", sum(Hits) as "Hits" by cs_username date 
    | fields date cs_username Hits Visits ] 
| stats sum(Hits) as "Hits", sum(Visits) as "Visits" by date, cs_username

Does this do what you need?

DanielFordWA · ‎10-30-2013

Sorry for the late reply, this does seem to work for some months and not others, I'll investigate a bit and see what the issue is. Thanks for the response.

Two searches combined including transaction

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?