topic Re: How to use streamstats for different time window and different users in Splunk User Behavior Analytics

How to use streamstats for different time window and different users

TheKellind — Fri, 07 Aug 2020 08:27:01 GMT

Hi,

I am trying to build a table that counts different processes that occurred for a particular users in a 5 minute widow before the crash. I need that to analyze user behavior and reason behind the crash. I am using UberAgent data for this.

I have a search that shows events before the crash, the challenge is to combine different users with different 5 minute windows into one table. My raw data has time and event columns, I am looking for a way to introduce time filter per user:

time	event	time filter
01:05	crash_event_user_1
01:04:59	event_user_1	include
01:04:58	event_user_1	include
01:04:42	event_user_1	include
01:04:31	event_user_1	include
01:02:30	event_user_1	include
01:01:25	event_user_1	include
12:59:25	event_user_1	exclude
12:58:25	event_user_1	exclude
01:03	crash_event_user_2
01:02:59	event_user_2	include
01:02:58	event_user_2	include
01:02:42	event_user_2	include
12:48:25	event_user_2	include
12:47:25	event_user_2	exclude
12:46:25	event_user_2	exclude

Which commands you think can be useful in creating the searches?

Is there a use e.g. for streamstats in narrowing the 5 minute window? Might using window parameter help

Re: How to use streamstats for different time window and different users

thambisetty — Fri, 07 Aug 2020 14:04:35 GMT

can you provide one sample event.

Re: How to use streamstats for different time window and different users

TheKellind — Mon, 10 Aug 2020 09:37:58 GMT

Type	Field	Value
Selected	host	SI38-FAA0401035
	source	uberAgent
	sourcetype	uberAgent:Application:Errors
Event	AdDomainDns
	AdOu	Cloud/Servers/Global/Virtual Workspace/SNG/SI38/POD4a
	AdSite	Singapore
	AppId	MsOffc
	AppName	Microsoft Office
	AppVersion	16.0.11929.20776
	CPUCoresLogical	8
	CPUCoresPhysical	8
	CPUMaxMhz	2095
	CPUName	Intel(R) Xeon(R) Gold 6152 CPU @ 2.10GHz
	CPUSockets	4
	CtxDeliveryGroupName	Global_Win2016_Desktops_STD
	CtxFarmName	SI38_POD4a
	CtxMachineCatalogName	Global_ESX_Desktops_SI38_POD4a_CHS1
	ErrorType	1
	ErrorTypeName	Crash
	ExceptionCode	0xc0000005
	FaultOffset	0x0000000000065573
	HwIsVirtualMachine	1
	HwManufacturer	VMware, Inc.
	HwModel	VMware7,1
	Ipv4Address	10.91.32.147
	IsBatteryPresent	0
	ModuleName	ntdll.dll
	ModulePath	C:\Windows\SYSTEM32\ntdll.dll
	ModuleTimestamp	2020-04-08 11:22:46.000 +0800
	ModuleVersion	10.0.14393.3630
	OsBuild	14393
	OsType	Terminal Server
	OsUpdateBuildRevision	3808
	OsVersion	10
	ProcGUID	47a3a19d-786e-4e94-00fe-83135b186c58
	ProcID	20116
	ProcLifetimeMs	3139615
	ProcName	lync.exe
	ProcPath	C:\Program Files\Microsoft Office\root\Office16\lync.exe
	ProcTimestamp	2020-05-08 09:22:49.000 +0800
	ProcUser	XXX
	ProcVersion	16.0.11929.20776
	RAMSizeGB	64
	SessionGUID	00000003-912c-c4ef-ade4-af41c76ed601
	Timestamp	1.59703E+12
	dest	SI38-FAA0401035
Time	_time	2020-08-10T06:31:43.794+02:00
Default	index	app_uberagent_nonsec_int_sg
	linecount	1
	punct	,,.,:\_\_\\\.,...,--_::._+,.,:\\\.,...,--_::._+,,,
	splunk_server

Crashes I need to analyze are shown in the uberAgent:Application:Errors sourcetypes but the table with counts of e.g. ModuleName per user needs o have all sources available.