User ClientId total dns_time start_time end_time I havent added time where time is between logintime and logout time yet sinc e this is not working. Index="ib_test_sample" sourcetype="csv"|eval ClientId=coalesce(Clientid,ipaddress)| fields ClientId, username, domain, time, hits,logintime,logouttime| eval start_time=strptime(logintime, "%m/%d/%Y %H:%M:%S")| eval end_time=strptime(logouttime, "%m/%d/%Y %H:%M:%S") |eval dns_time=strptime(time, "%m/%d/%Y %H:%M:%S")|streamstats values(username) AS user by ClientId|stats sum(hits) AS total by user, ClientId, domain| table user, ClientId, total,dns_time,start_time,end_time I uploaded them into splunk under index=ib_test_sample Username, ipaddress, logintime, logouttime Hope this helps and it will be much more efficient then join and you will not hit any sub-search limits. If this still does not match your requirement, modify it until your done So it can be used in the final stats to get the total hits on a domain by user and time | stats sum(hits) AS total by user, ClientId, domain, time This is the most important step for you, because it will map the users to ClientId | streamstats values(username) AS user by ClientId Now we limit the used fields for the next steps | fields ClientId, username, domain, time, hits Next step is to use either Clientid or ipaddress as field ClientId | eval ClientId=coalesce(Clientid,ipaddress) source="user-history.csv" OR source="hits-table.csv" host="indexer" sourcetype="csv" This is the base search which will return all needed fields to get to the result. Let me break down this and explain what is happening here: | stats sum(hits) AS total by user, ClientId, domain, time | streamstats values(username) AS user by ClientId | fields ClientId, username, domain, time, hits | eval ClientId=coalesce(Clientid,ipaddress) Load them into Splunk using the methods from the docs or us the URI Once the data is indexed use this search to get the result based on your last comment: source="user-history.csv" OR source="hits-table.csv" host="indexer" sourcetype="csv" Next create a csv file called hits-table containing: Clientid, hits, time, domain After all your feedback here is a new answer, which is tested and working all based on your provided information.įirst create a csv file called user-history containing: username, ipaddress, logintime, logouttime
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |