- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine multiple events for reporting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combine multiple events for reporting
Hi,
I'm using splunk for caching the log and reporting, now I need to query in splunk for user action and generate a report. My case will be showed as following
I had several events in a log like :
e1: [email1@test.com] Login system with username:email1
e2: [email1@test.com] Read articleId:art1
e3: [email1@test.com] Read articleId:art2
e4: [anotheremail1@test.com] Login system with username:email2
Now I want to list all actions made by user who read article with articleId is art1. Which search statement can help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best case: extract the fields for email, action and article. Then your search will look like this:
yoursearchhere [ search action=Read article="art1" | dedup email | fields email ]
If you must create the fields on-the-fly, the search becomes much more complex:
yoursearchhere [ search yousearchhere "art1"
| rex "\[(?<email>\S+@\S+)\]\s(?<action>\S+)\s.*?\:(?<article>.*)"
| search action=Read article=art1 | dedup email | fields email ]
You might want to read the documentation on creating field extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below query. Replace "email" with sourcetype of yours:-
sourcetype=email | rex "\[(?P<User>[^@]+)" | search [search sourcetype=email | rex "\[(?P<User>[^@]+)" | rex "\] (?P<Action>[^:]+):(?P<Item>.+)"| table _raw, User, Action,Item | where Action="Read articleId" AND Item="art1"| table User]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your source/log file name? instead of "sourcetype=email", use "source=<
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used your query and always returns no result for that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for type. I mean to say that replace "sourcetype=email" with whatever sourcetype you're using. Updated the answer now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @somesoni2, what you mean about sourcetype command in your query?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
