Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine multiple events for reporting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combine multiple events for reporting
Hi,
I'm using splunk for caching the log and reporting, now I need to query in splunk for user action and generate a report. My case will be showed as following
I had several events in a log like :
e1: [email1@test.com] Login system with username:email1
e2: [email1@test.com] Read articleId:art1
e3: [email1@test.com] Read articleId:art2
e4: [anotheremail1@test.com] Login system with username:email2
Now I want to list all actions made by user who read article with articleId is art1. Which search statement can help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best case: extract the fields for email, action and article. Then your search will look like this:
yoursearchhere [ search action=Read article="art1" | dedup email | fields email ]
If you must create the fields on-the-fly, the search becomes much more complex:
yoursearchhere [ search yousearchhere "art1"
| rex "\[(?<email>\S+@\S+)\]\s(?<action>\S+)\s.*?\:(?<article>.*)"
| search action=Read article=art1 | dedup email | fields email ]
You might want to read the documentation on creating field extractions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below query. Replace "email" with sourcetype of yours:-
sourcetype=email | rex "\[(?P<User>[^@]+)" | search [search sourcetype=email | rex "\[(?P<User>[^@]+)" | rex "\] (?P<Action>[^:]+):(?P<Item>.+)"| table _raw, User, Action,Item | where Action="Read articleId" AND Item="art1"| table User]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your source/log file name? instead of "sourcetype=email", use "source=<
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used your query and always returns no result for that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for type. I mean to say that replace "sourcetype=email" with whatever sourcetype you're using. Updated the answer now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @somesoni2, what you mean about sourcetype command in your query?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
