Splunk Search

User data collapsed with activity information collected in separate statements

sureshchinta
Explorer

My app writes two log statements, audit and activity statement, for each invocation as below:

audit:
type:audit | tid:123 | userid:abc

activity:
type:activity | tid:123 | action:login

Need is to get a sense of what the user has done by displaying the userid and collapsing the action into a table.

What I tried so far is to define a transaction on audit log and collapsed all tid for a given user which displays data as below:

userid | tid

abc | 123
| 345

| 876

xyz | 793
| 438

How to show action values from activity instead of tid ?

Tags (2)
0 Karma

sundareshr
Legend

Try this (assuming all fields have been extracted)

index=webapp host=pxdtp00* (audit* OR activity*) | rex "(?<Action>audit|activity)"  | stats values(Action) as Action by UserId TxnId | mvexpand Action

UPDATED to include field extraction

0 Karma

sundareshr
Legend

Try the updated query. I modified it to include field extraction.

0 Karma

sureshchinta
Explorer

This query is getting results as wanted.

index=webapp host=host* AND IntegrationFrameworkV01 AND audit* |  dedup TxnId | table UserId TxnId | join TxnId [search index=webapp host=host* AND IntegrationFrameworkV01 AND client:* | eval Date_Time = strftime(_time, "%m/%d/%y %H:%M:%S")  | stats values(Action) as Action sum(eval(ReqLatency + AppLatency + ResLatency)) as Latency by TxnId HttpCode Date_Time  ]  | stats list(Action) as Action list(Latency) as Latency list(HttpCode) as HttpCode list(Date_Time) as DateTIme by UserId  | table UserId Action DateTIme Latency HttpCode

Job indicates,

'stats' command: limit for values of field 'DP_IF_Action' reached. Some values may have been truncated or ignored.

How to stop truncating results ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your current search statement?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sureshchinta
Explorer
index=webapp host=pxdtp00* AND audit* | transaction UserId | table UserId TxnId | join TxnId [search index=webapp host=pxdtp00* activity* | stats Action by TxnId ] | table UserId Action TxnId

search before join collapses all txnId fields for a given user. Next search is not able to complement action into the mix.

0 Karma
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...