All Apps and Add-ons

Splunk for Palo Alto Networks: How to search time spent (duration) and sum of bytes per URL by user?

ronaldlb
Explorer

Hi when I do this

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user | search sourcetype="pan_threat" | table user hostname bytes duration 

I get the result as :

Ronald        website           total bytes                 total duration

Where as I am looking for :

Ronald        1st website       1st website bytes used      1st website time spent
              2nd website       2nd website bytes used      2nd website time spent

I have tried almost everything, but nothing has worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried this?

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

Thank you for your reply when I add the line it say ( No results found.) .

0 Karma

ronaldlb
Explorer

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This works and I got this from btorresgil but i would not show the bytes or the duration so I tried everything possible and just got so far on my above answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will work better.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

I got an errro ( Error in 'stats' command: The output field 'hostname' cannot have the same name as a group-by field.)

0 Karma
Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...