Splunk Search

Combine multiple events for reporting

ndkhoiits
Explorer

Hi,

I'm using splunk for caching the log and reporting, now I need to query in splunk for user action and generate a report. My case will be showed as following

I had several events in a log like :

Now I want to list all actions made by user who read article with articleId is art1. Which search statement can help me?

Tags (2)
0 Karma

lguinn2
Legend

Best case: extract the fields for email, action and article. Then your search will look like this:

yoursearchhere [ search action=Read article="art1" | dedup email | fields email ]

If you must create the fields on-the-fly, the search becomes much more complex:

yoursearchhere [ search yousearchhere  "art1" 
| rex "\[(?<email>\S+@\S+)\]\s(?<action>\S+)\s.*?\:(?<article>.*)"
| search action=Read article=art1 | dedup email | fields email ]

You might want to read the documentation on creating field extractions.

0 Karma

somesoni2
Revered Legend

Try below query. Replace "email" with sourcetype of yours:-

sourcetype=email | rex "\[(?P<User>[^@]+)" | search [search sourcetype=email | rex "\[(?P<User>[^@]+)" | rex "\] (?P<Action>[^:]+):(?P<Item>.+)"| table _raw, User, Action,Item | where Action="Read articleId" AND Item="art1"| table User]
0 Karma

somesoni2
Revered Legend

What is your source/log file name? instead of "sourcetype=email", use "source=<>" and try.

0 Karma

ndkhoiits
Explorer

I used your query and always returns no result for that

0 Karma

somesoni2
Revered Legend

Sorry for type. I mean to say that replace "sourcetype=email" with whatever sourcetype you're using. Updated the answer now.

0 Karma

ndkhoiits
Explorer

Hi @somesoni2, what you mean about sourcetype command in your query?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...