Splunk Search

Help with Search String for Ironport to aggregate destination sites and durations

sinescorey
New Member

I am using this Search String to return results for specific user accounts:

search index=summary user_id=****** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time

I am looking to aggregate the results by destination domain, and show an aggregate number for each domain by browsing_time and show a count. So instead of showing:

google.com 2mins
google.com 1min
google.com 5min

It would show only
google.com 8mins Count 3

Thanks for any help...

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

View solution in original post

sinescorey
New Member

Hey your right,

search sourcetype=wsa_accesslogs user_id=* | search x_webcat_code_full!=Advertisements | transaction user_id maxpause=5m | search dest_domain=*| stats sum(duration) as browsing_time by dest_domain | fieldformat browsing_time = tostring(browsing_time,"duration")

This gives me what I am looking for thanks!

0 Karma

somesoni2
Revered Legend

For your original question, this should work

search index=summary user_id=** | search x_webcat_code_full!=Advertisements | stats sum(duration) as browsing_time by dest_domain _time user_id x_webcat_code_full duration | fieldformat browsing_time = tostring(browsing_time,"duration") | table _time, dest_domain, x_webcat_code_full, user_id, browsing_time | stats sum(browing_time) as total_browing_time count by dest_domain_time

Can you give more details about what you need as part of 2nd question?

sinescorey
New Member

"search sourcetype=wsa_accesslogs" vs search index=summary gives you a break down of the actual site visit times. Anyone else have an answer on how to aggregate the sites and times visited?

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...