All Apps and Add-ons

Splunk for Palo Alto Networks: How to search time spent (duration) and sum of bytes per URL by user?

ronaldlb
Explorer

Hi when I do this

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user | search sourcetype="pan_threat" | table user hostname bytes duration 

I get the result as :

Ronald        website           total bytes                 total duration

Where as I am looking for :

Ronald        1st website       1st website bytes used      1st website time spent
              2nd website       2nd website bytes used      2nd website time spent

I have tried almost everything, but nothing has worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried this?

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

Thank you for your reply when I add the line it say ( No results found.) .

0 Karma

ronaldlb
Explorer

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This works and I got this from btorresgil but i would not show the bytes or the duration so I tried everything possible and just got so far on my above answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will work better.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

I got an errro ( Error in 'stats' command: The output field 'hostname' cannot have the same name as a group-by field.)

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...