Re: Help with creating an index search based on th... - Page 2

Bassik · ‎07-08-2020

Beginner here, I'm trying to run a search on unique logins for a web-based application. The current logs, however, do not indicate the information I need to be able to count which app the user logged into.

It may be easier to illustrate the search:

What I am trying to archive is on the _time value all those events (hidden) are triggered at the exact same time. I want to use that value as a unique ID to evaluate all the events that happened at that time as a group.

The information I require is from a_app

Could some explain to me a way to archive this?

I guess in summary if the UserAuthicationQuery had an actual log that identified what the user was logging into it would then work but the a_app for this process is done in a central location and not associated with the actual app the user is entering.

Bassik · ‎07-13-2020

As mentioned this is the closest I have:

But it includes every event at those timestamps. I only want the timestamp in which a_action = UserAuthenticationQuery. if I include UserAuthenticationQuery in search then it drops off all events. I don't know why it still doesn't append the multiple app values under appList field?

renjith_nair · ‎07-14-2020

ahh, why do you use stats in between ? It removes the UserAuthenticationQuery field from the results.

---
What goes around comes around. If it helps, hit it with Karma 🙂

Bassik · ‎07-14-2020

@renjith_nair

So I should remove it? If I do, it doesn't change anything I still get 2,730 results. I grabbed this from you on the first page you mentioned:

@Bassik,

As you said , it might not be accurate. However, if you want to get the app list for a user with time as a common factor (seconds' precision) , try this

"your search"
|eval timeIdentifier=strftime(_time,"%Y-%m-%d-%H-%M-%S")
|stats values(a_app)  as appList by timeIdentifier,cs_username

appList should have the list of apps. We converted time to string just to make sure that we take until seconds precision. You may user _time directly as well

renjith_nair · ‎07-14-2020

@Bassik,

that was for that specific solution.

Try the latest search please without the stats. Also have a look at the search's construction to understand how it works. That will help you to troubleshoot

---
What goes around comes around. If it helps, hit it with Karma 🙂

Bassik · ‎07-14-2020

@renjith_nair

Thanks again, yes I did remove it as mentioned. It didn't resolve anything other then list all events and not in a table format.

I have looked many times at the search construction and tried many things... I get what I want but do not understand the logic on how to link the two time events to no another.

renjith_nair · ‎07-14-2020

post your current search and sample events

---
What goes around comes around. If it helps, hit it with Karma 🙂

Bassik · ‎07-16-2020

@renjith_nair

Hi sorry for the delay. I have worked out an alternative to my search. I have another question. Is there a way to dedup a field by another event?

I seem to being getting my results but when I dedup username, it just randomly selects an event and lists that in my stats. I want to only dedup the username based on UserAuthenticationQuery event?

Thanks

Bassik · ‎07-13-2020

As mentioned this is the closest I have:

But it includes every event at those timestamps. I only want the timestamp in which a_action = UserAuthenticationQuery. if I include UserAuthenticationQuery in search then it drops off all events. I don't know why it still doesn't append the multiple app values under appList field?

Help with creating an index search based on the _time value (beginner)

search job inspector

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services