Reporting

How can I generate a report on a weekly basis for the previous week broken down by day?

SplunkLunk
Path Finder

Greetings,

I want to search for five or more times a person views a PDF document in an application over the course of one day. Then, once a week I want to send all the events for that week to the application admins so they can investigate why a user(s) might be viewing so many PDFs in a day (the PDF has sensitive data). My current search looks like this for the last 24 hours:

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
|eventstats  count as Count values("PROCESS_TYPE") as "Process Type" by "USERS_NAME"
|where Count > 4
|table Time,"User ID", "Case ID", "User's Name", "Process Area", "Process Table", "Process Type", "Process Description",
|sort "User's Name"
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

The admins don't want the report each day, but they want a breakdown by day every week. Thanks for any advice anyone can provide.

0 Karma
1 Solution

DalJeanis
Legend

This updated solution assumes that _time is present on each record in epoch format.

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin _time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

This solution assumes that Time is in epoch time format. Just run it once a week, and bin the days before the eventstats...

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin Time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

View solution in original post

0 Karma

DalJeanis
Legend

This updated solution assumes that _time is present on each record in epoch format.

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin _time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

This solution assumes that Time is in epoch time format. Just run it once a week, and bin the days before the eventstats...

index=[my index] sourcetype=[sourcetype] source=[source] PROCESS_TYPE="pdf view"
| bin Time as Day span=1d
| eventstats count as Count by "USERS_NAME" Day
| where Count > 4
| rename PROCESS_TYPE as "Process Type"
| table "User's Name", Time,"User ID", "Case ID", "Process Area", "Process Table", "Process Type", "Process Description",
| sort 0 "User's Name" Time 
| convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time
0 Karma

SplunkLunk
Path Finder

That doesn't really do what I need it to do. It looks like that ends up showing events greater than 4 across the entire span of seven days. So "Molly" had 6 events over 7 days, but only 2 on Monday, 2 on Wed., and 2 on Thursday. I need to generate a report over 7 days of people that only had 5 or greater "views" on one day. So the report would show activity for all seven days, but only list "Molly" if she had > 5 views on Monday, "Kelly" if she had > 5 views on Wed., etc. Is this possible?

0 Karma

DalJeanis
Legend

@SplunkLunk - then Time must not be present on each record in epoch time format, or Day would be calculated correctly and the Count would be restricted by Day. Updated code to use _time instead.

0 Karma

SplunkLunk
Path Finder

Thanks. That looks like it worked. Much appreciated!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...