All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto Networks: How to search time spent (duration) and sum of bytes per URL by user?

ronaldlb
Explorer
‎02-17-2015 12:51 PM

Hi when I do this 

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user | search sourcetype="pan_threat" | table user hostname bytes duration

I get the result as :

Ronald        website           total bytes                 total duration

Where as I am looking for :

Ronald        1st website       1st website bytes used      1st website time spent
              2nd website       2nd website bytes used      2nd website time spent

I have tried almost everything, but nothing has worked.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2015 07:14 AM

Have you tried this?

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ronaldlb
Explorer
‎02-18-2015 07:38 AM

Thank you for your reply when I add the line it say ( No results found.) .

0 Karma
Reply

ronaldlb
Explorer
‎02-18-2015 07:42 AM

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This works and I got this from btorresgil but i would not show the bytes or the duration so I tried everything possible and just got so far on my above answer.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2015 07:47 AM

Perhaps this will work better.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user, hostname | search sourcetype="pan_threat" | table user hostname bytes duration
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ronaldlb
Explorer
‎02-18-2015 08:26 AM

I got an errro ( Error in 'stats' command: The output field 'hostname' cannot have the same name as a group-by field.)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...