How to list domains/hosts results before and after...

brc55 · ‎04-07-2022

Hello,

I'm trying to create a dashboard with a statistics table that will show a list of domains/hosts 10 minutes before and after a user connected to a specific domain.

i.e. A user connected to abc.com at 12pm EST on 4/7/2022. I want to be able to input the users ID and host (abc.com) into text fields and when I submit/search I want results to show (sorted by time) all of the domains/hosts the user went to 10 minutes before and leading up to abc.com as well as all of the domains/hosts after abc.com

I am stuck and have tried different variations of the query below using sort and desc. I've gotten results however, they only show the specific host that was entered into the text field and not the other hosts around that searched host.

This is what I've started with and as previously mentioned, I've tried altering it quite a few times:

index=proxy userID=$user_id$ host=$host_id$ | table _time, userID, host, ip, | sort host span=10m, -host span=10m

Any assistance is appreciated!

richgalloway · ‎04-07-2022

Since you want to see all hosts, not just abc.com, use host=* instead of host=$host_id$.

---
If this reply helps you, Karma would be appreciated.

How to list domains/hosts results before and after a specific domain was connected to?

drilldown

panel

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!