Dashboards & Visualizations

How to list domains/hosts results before and after a specific domain was connected to?

brc55
Engager

Hello,

I'm trying to create a dashboard with a statistics table that will show a list of domains/hosts 10 minutes before and after a user connected to a specific domain.

i.e. A user connected to abc.com at 12pm EST on 4/7/2022. I want to be able to input the users ID and host (abc.com) into text fields and when I submit/search I want results to show (sorted by time) all of the domains/hosts the user went to 10 minutes before and leading up to abc.com as well as all of the domains/hosts after abc.com

I am stuck and have tried different variations of the query below using sort and desc. I've gotten results however, they only show the specific host that was entered into the text field and not the other hosts around that searched host.

This is what I've started with and as previously mentioned, I've tried altering it quite a few times:

index=proxy userID=$user_id$ host=$host_id$ | table _time, userID, host, ip, | sort host span=10m, -host span=10m

Any assistance is appreciated!

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since you want to see all hosts, not just abc.com, use host=* instead of host=$host_id$.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...