Archive
Highlighted

Hi all,I'm pretty new to splunk and having my hands on it. My question is what query is used to get the data of specifuic user.

New Member

Hi all,I'm pretty new to splunk and having my hands on it. My question is , I have a index=sftp and user as some xyz. I tried many queries to get an output where i can see the user filename,upload,upload by, upload time, download , download by and download time. So what is the query that i can use to get all this. Any suggestions on it or any documentation that I need to follow to get this result.

Tags (1)
0 Karma
Highlighted

Re: Hi all,I'm pretty new to splunk and having my hands on it. My question is what query is used to get the data of specifuic user.

Super Champion

it depends on how you want the output as. The raw events can be fetched by putting _raw
If you want to extract certain fields only, you can do something like

index=sftp user=xyz  | table filename,upload,upload_by, download 

The key documents I would follow as a newbie are
- http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
- http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

0 Karma
Highlighted

Re: Hi all,I'm pretty new to splunk and having my hands on it. My question is what query is used to get the data of specifuic user.

New Member

Thank you for your quick reply koshyk. What i'm trying to do is when i give input as index=sftp USER=gradydftsftp and it give output as
Jan 27 10:15:01 wmcloudsftp internal-sftp[9055]: session closed for local user gradydftsftpdata.
Jan 27 09:15:03 wmcloudsftp internal-sftp[4534]: session closed for local user gradydftsftpdata

So my question is how can i create a dashboard with a query which displays file name ,uploadby,uploadtime,download,downloadby and download time.

Filename is something like (9055)
uploadby is gradydftsftp
uploadtime is 09:15:03

0 Karma
Highlighted

Re: Hi all,I'm pretty new to splunk and having my hands on it. My question is what query is used to get the data of specifuic user.

Super Champion

Depending on what field you want, you can create any dashboard
eg for a timechart based dashboard

index=sftp user=xyz | timechart count

and look into the visualization tab. You can select appropriate chart & format. Then You can then click on the "Save As" and put that as a dashboard.

0 Karma