Splunk Search

How do I add an additional search condition to my table?

elijahm
Explorer

index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out"
| rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*"
| eval _time=strptime(time,"%a %b %d %H:%M:%S")
| fields - _raw time
| stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip
| eval duration=(latestTime-_time)
| fields - latestTime
| search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes

The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.

If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!
index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f

Tags (1)
0 Karma

ansusabu
Communicator

You can use 'join' command if you want to retrieve the list of users for the mac addresses which you have obtained. OR you can use 'appendcols' if both queries are not related .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try adding this to the end of your query:

| bucket span=1d _time | stats count values(*) as * by macaddress | where count > 1
---
If this reply helps you, Karma would be appreciated.
0 Karma

elijahm
Explorer

It makes my table return only 1 statistic with the macaddresses column empty and the other columns listing its elements in the one statistic so i can't tell what information is correlated to which user.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The macaddress field would be empty only if none of the events have a value for that column by the time the stats command runs. What do your results look like before the bucket command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...