I am trying to display a table of users usage for each individual computer that they have used. I can get the result I want when I search for an individual user using the search below:
index=windows_os user=User3 tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647)
|transaction host startswith="4624" endswith="4647"
|eval "Time" = round(duration/60,0)
|stats sum(Time) count by host
|table host, sum(Time)
RESULT:
host sum(Time)
MU00043103 14
MU00042261 31
What I want to do is set user to * or not specify a user to view all users. I have tried the following:
index=windows_os tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647) user!=SYSTEM user!="ANONYMOUS LOGON" user!=MU*$
| transaction host startswith="4624" endswith="4647"
| table user, host, duration
| eval "Time" = round(duration/60,2)
| table user, host, "Time"
| sort user
RESULTS:
user host Time
User1 MU00041577 105
User2 MU00041691 10
User3 MU00043103 9
User3 MU00042261 22
User3 MU00043103 5
User3 MU00042261 9
User 4 MU00041691 8
User5 MU00081455 3
User5 MU00081455 3
User5 MU00081455 4
User5 MU00081455 3
However, when I use the search above the events are not grouping each user on each computer. The result I would like to see is:
RESULTS:
user host Time
User1 MU00041577 105
User2 MU00041691 10
User3 MU00043103 14
User3 MU00042261 31
User4 MU00041691 8
User5 MU00081455 13
Any help would be much appreciated.
Can can modify your search to below -
index=windows_os tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647) user!=SYSTEM user!="ANONYMOUS LOGON" user!=MU*$
| transaction user host startswith="4624" endswith="4647"
| table user, host, duration
| eval Time = round(duration/60,2)
| stats sum(Time) as Time by user host
| sort user
You need to add user
field in the transaction command, else a transaction may start for a particular user and end for another making data inconsistent. Finally you can take the sum of duration a particular user spent on a host and then sort the results.
If you want to stick to transaction, you should add user also as your transaction key as suggested by dineshraj9 i.e.
| transaction user host startswith="4624" endswith="4647"
However, transaction is not suitable command for second scenario. It is more suitable when you want to stitch all events together for a single key value like sessionID, or as in your first query you have created the same only for one user and also one host.
Try converting your transaction query to stats:
index=windows_os tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647) user!=SYSTEM user!="ANONYMOUS LOGON" user!=MU*$
| stats count as eventcount min(_time) as MinTime max(_time) as MaxTime values(EventCode) as EventCode by user host
| search eventcount>1 EventCode="4624" EventCode="4647"
| eval duration= MaxTime-MinTime
| eval "Time (in min)" = round(duration/60,2)
| eval _time=MinTime
| sort user, host
| table _time user host "Time (in min)"
I agree that using stats can provide a performance improvement in this case, but transaction supports multiple field list -
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Transaction
Optional arguments
field-list
Syntax: ...
Description: One field or more field names. The events are grouped into transactions based on the values of this field. If a quoted list of fields is specified, events are grouped together if they have the same value for each of the fields.
@dineshraj9 using by user host
in stats or transaction user host
will give the same result. Events will be aggregated based on both user and host fields in both scenarios. With large dataset transaction may not just run slow, it can treat some records as evicted or orphaned and drop from transaction (keepevicted=t keeporphaned=t).
Although there is no hard-and-fast rule for specific correlation to be used Following flowchart by Nick Mealy
gives and idea of situations where one method might be preferred over another: http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
Agreed! Your point on evicted and orphaned searches is transactions is right.
Thanks for sharing the flowchart.
Can can modify your search to below -
index=windows_os tag::host=INC000001498678 (EventCode=4624 OR EventCode=4647) user!=SYSTEM user!="ANONYMOUS LOGON" user!=MU*$
| transaction user host startswith="4624" endswith="4647"
| table user, host, duration
| eval Time = round(duration/60,2)
| stats sum(Time) as Time by user host
| sort user
You need to add user
field in the transaction command, else a transaction may start for a particular user and end for another making data inconsistent. Finally you can take the sum of duration a particular user spent on a host and then sort the results.
Thank you so much. I didn't know you can have multiple fields after the transaction command.