Dashboards & Visualizations

How to list domains/hosts results before and after a specific domain was connected to?

brc55
Engager

Hello,

I'm trying to create a dashboard with a statistics table that will show a list of domains/hosts 10 minutes before and after a user connected to a specific domain.

i.e. A user connected to abc.com at 12pm EST on 4/7/2022. I want to be able to input the users ID and host (abc.com) into text fields and when I submit/search I want results to show (sorted by time) all of the domains/hosts the user went to 10 minutes before and leading up to abc.com as well as all of the domains/hosts after abc.com

I am stuck and have tried different variations of the query below using sort and desc. I've gotten results however, they only show the specific host that was entered into the text field and not the other hosts around that searched host.

This is what I've started with and as previously mentioned, I've tried altering it quite a few times:

index=proxy userID=$user_id$ host=$host_id$ | table _time, userID, host, ip, | sort host span=10m, -host span=10m

Any assistance is appreciated!

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since you want to see all hosts, not just abc.com, use host=* instead of host=$host_id$.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...