Reporting

Url report with user browsing time and number of bytes used

ronaldlb
Explorer

Hi I have tried everything but I end with either with user name and website or website with number of counts and bytes. What I am looking for is getting user name with what sites have been visited by the user and how much time spent on each site. Then next when drilled down I would like to see how much bytes where used on the website and how much time was spent. I know there is a way but I am lost please any help with this I would really appreciate. I have tried using the | stats count by user gives me a list and have tired this as well sourcetype="pan_threat" url=* | transaction maxspan=1h maxpause=30m fields=src_ip but it will not give me the report that I am looking for .

0 Karma

btorresgil
Builder

Hello, you can do this several ways, but here's one suggestion:

`pan_index` sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype values(dst_hostname) as hostname sum(bytes) as bytes sum(elapsed_time) as duration by user dst_hostname | search sourcetype="pan_threat" | table user hostname bytes duration

This results in a table where the columns are the User, the FQDN they are accessing, the bytes for that User/FQDN combination, and the duration for that User/FQDN combination.

bsachitano
Explorer

ronaldlb, any success with this?

0 Karma

ronaldlb
Explorer

Thank Btorresgil for the answer this works but I am not get the bytes and duration and the username is not grouped with the number of url visited it is one url per line with the same user. Am i missing something please advice many thanks.

0 Karma

ronaldlb
Explorer

So when I do this I get the users with the websites visited and the total bytes used .But what I am looking for is users grouped with urls that is fone but number of bytes used by the website and time spent on the website by user.

pan_index sourcetype=pan_traffic OR (sourcetype=pan_threat log_subtype=url) | stats values(sourcetype) as sourcetype, values(dst_hostname) as hostname , sum(bytes) as bytes by user | search sourcetype="pan_threat" | table user hostname bytes

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...