Reporting

Url report with user browsing time and number of bytes used

ronaldlb
Explorer

Hi I have tried everything but I end with either with user name and website or website with number of counts and bytes. What I am looking for is getting user name with what sites have been visited by the user and how much time spent on each site. Then next when drilled down I would like to see how much bytes where used on the website and how much time was spent. I know there is a way but I am lost please any help with this I would really appreciate. I have tried using the | stats count by user gives me a list and have tired this as well sourcetype="pan_threat" url=* | transaction maxspan=1h maxpause=30m fields=src_ip but it will not give me the report that I am looking for .

0 Karma

btorresgil
Builder

Hello, you can do this several ways, but here's one suggestion:

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This results in a table where the columns are the User, the FQDN they are accessing, the bytes for that User/FQDN combination, and the duration for that User/FQDN combination.

bsachitano
Explorer

ronaldlb, any success with this?

0 Karma

ronaldlb
Explorer

Thank Btorresgil for the answer this works but I am not get the bytes and duration and the username is not grouped with the number of url visited it is one url per line with the same user. Am i missing something please advice many thanks.

0 Karma

ronaldlb
Explorer

So when I do this I get the users with the websites visited and the total bytes used .But what I am looking for is users grouped with urls that is fone but number of bytes used by the website and time spent on the website by user.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype, values(dst_hostname) as hostname , sum(bytes) as bytes by user | search sourcetype="pan_threat" | table user hostname bytes

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...