Splunk Search

Help with Search String for Ironport to aggregate destination sites and durations

sinescorey
New Member

I am using this Search String to return results for specific user accounts:

search index=summary user_id=****** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time

I am looking to aggregate the results by destination domain, and show an aggregate number for each domain by browsing_time and show a count. So instead of showing:

google.com 2mins
google.com 1min
google.com 5min

It would show only
google.com 8mins Count 3

Thanks for any help...

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

View solution in original post

sinescorey
New Member

Hey your right,

search sourcetype=wsa_accesslogs user_id=* | search x_webcat_code_full!=Advertisements | transaction user_id maxpause=5m | search dest_domain=*| stats sum(duration) as browsing_time by dest_domain | fieldformat browsing_time = tostring(browsing_time,"duration")

This gives me what I am looking for thanks!

0 Karma

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

sinescorey
New Member

"search sourcetype=wsa_accesslogs" vs search index=summary gives you a break down of the actual site visit times. Anyone else have an answer on how to aggregate the sites and times visited?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more!  Faster Time to Value Managing and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...