All Apps and Add-ons

Splunk for Palo Alto Networks: How to search time spent (duration) and sum of bytes per URL by user?

ronaldlb
Explorer

Hi when I do this

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user | search sourcetype="pan_threat" | table user hostname bytes duration 

I get the result as :

Ronald        website           total bytes                 total duration

Where as I am looking for :

Ronald        1st website       1st website bytes used      1st website time spent
              2nd website       2nd website bytes used      2nd website time spent

I have tried almost everything, but nothing has worked.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried this?

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

Thank you for your reply when I add the line it say ( No results found.) .

0 Karma

ronaldlb
Explorer

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This works and I got this from btorresgil but i would not show the bytes or the duration so I tried everything possible and just got so far on my above answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will work better.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma

ronaldlb
Explorer

I got an errro ( Error in 'stats' command: The output field 'hostname' cannot have the same name as a group-by field.)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...