Splunk Search

Help with Search String for Ironport to aggregate destination sites and durations

sinescorey
New Member

I am using this Search String to return results for specific user accounts:

search index=summary user_id=****** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time

I am looking to aggregate the results by destination domain, and show an aggregate number for each domain by browsing_time and show a count. So instead of showing:

google.com 2mins
google.com 1min
google.com 5min

It would show only
google.com 8mins Count 3

Thanks for any help...

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

View solution in original post

sinescorey
New Member

Hey your right,

search sourcetype=wsa_accesslogs user_id=* | search x_webcat_code_full!=Advertisements | transaction user_id maxpause=5m | search dest_domain=*| stats sum(duration) as browsing_time by dest_domain | fieldformat browsing_time = tostring(browsing_time,"duration")

This gives me what I am looking for thanks!

0 Karma

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

sinescorey
New Member

"search sourcetype=wsa_accesslogs" vs search index=summary gives you a break down of the actual site visit times. Anyone else have an answer on how to aggregate the sites and times visited?

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...