Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: identifying the user and the data submitted by...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would like to report on the events submitted via the rest API by user. i have multiple users that submit data to splunk via the rest api. the request is recorded in _internal index as:
127.0.0.1 - user1 [16/May/2013:12:55:00.807 -0600] "POST /services/receivers/simple?source=fe_test&sourcetype=fe_xml&index=fe HTTP/1.1" 200 882 - - - 3ms
an example event may look like this:
<?xml version="1.0" encoding="utf-8"?><alerts appliance="gitest.fireeye.com" msg="normal" product="Web MPS" version="6.1.0.70271" xmlns="http://www.fireeye.com/alert/2011/AlertSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.fireeye.com/alert/2011/AlertSchema FireEyeAlert.xsd"><alert id="91" name="malware-object" severity="majr"><explanation analysis="content" protocol="tcp"><malware-detected><malware name="Trojan.Onlinegames" origid="2274" sid="2274" stype="duplicate-md5sum" type="exe"><downloaded-at>2012-07-23T08:30:39.062949</downloaded-at><md5sum>5352ffa20a29a2201074dcafccb0c9d2</md5sum><original>cao.exe</original><http-header>GET /cao/cao.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Accept: */*
Host: google.netcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 11539
Content-Type: application/octet-stream
i would like to find out the event corresponding to a submission and be able to present a table or be able to write an alert based on a combination of user and data in the submission.
i appreciate your insights.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this search seems to do the trick
index=blah | bucket _time span=1s | join _time [search index=_internal /services/receivers/simple? source=*/splunkd_access.log | bucket _time span=1s] | table user _raw
i used the bucket command so i can drop off milliseconds. one of the data sources has milliseconds and the other one doesn't.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this search seems to do the trick
index=blah | bucket _time span=1s | join _time [search index=_internal /services/receivers/simple? source=*/splunkd_access.log | bucket _time span=1s] | table user _raw
i used the bucket command so i can drop off milliseconds. one of the data sources has milliseconds and the other one doesn't.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
