Splunk Search

Help with Search String for Ironport to aggregate destination sites and durations

sinescorey
New Member

I am using this Search String to return results for specific user accounts:

search index=summary user_id=****** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time

I am looking to aggregate the results by destination domain, and show an aggregate number for each domain by browsing_time and show a count. So instead of showing:

google.com 2mins
google.com 1min
google.com 5min

It would show only
google.com 8mins Count 3

Thanks for any help...

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

View solution in original post

sinescorey
New Member

Hey your right,

search sourcetype=wsa_accesslogs user_id=* | search x_webcat_code_full!=Advertisements | transaction user_id maxpause=5m | search dest_domain=*| stats sum(duration) as browsing_time by dest_domain | fieldformat browsing_time = tostring(browsing_time,"duration")

This gives me what I am looking for thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

sinescorey
New Member

"search sourcetype=wsa_accesslogs" vs search index=summary gives you a break down of the actual site visit times. Anyone else have an answer on how to aggregate the sites and times visited?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...