All Apps and Add-ons

Splunk for Palo Alto Networks: How to search time spent (duration) and sum of bytes per URL by user?

ronaldlb
Explorer

Hi when I do this

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user | search sourcetype="pan_threat" | table user hostname bytes duration 

I get the result as :

Ronald        website           total bytes                 total duration

Where as I am looking for :

Ronald        1st website       1st website bytes used      1st website time spent
              2nd website       2nd website bytes used      2nd website time spent

I have tried almost everything, but nothing has worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried this?

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

Thank you for your reply when I add the line it say ( No results found.) .

0 Karma

ronaldlb
Explorer

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This works and I got this from btorresgil but i would not show the bytes or the duration so I tried everything possible and just got so far on my above answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will work better.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

I got an errro ( Error in 'stats' command: The output field 'hostname' cannot have the same name as a group-by field.)

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...