Re: How do you find common information between two...

pinkyyu · ‎01-24-2019

how do I get common information from two users in a proxy log?

for example, i would like to find whether a URL that both of the users have accessed in a particular period of time.

user=ABC OR user=XYZ tag=proxy 
http_user_agent=mozilla* OR http_user_agent=firefox* |associate

woodcock · ‎01-27-2019

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
AND (user=ABC OR user=XYZ tag=proxy)
AND (http_user_agent=mozilla* OR http_user_agent=firefox*)
| stats dc(user) AS num_users values(_time) BY URL
| where num_users > 1

adonio · ‎01-25-2019

assuming you have a field calledurl and you cant to see how many users touched it in a period of time, you can do something like this: (here for a 5 minutes period)
... your search ... | bin span=5m _time| stats dc(user) as unique_users values(user) as user_names by url ...
that will show how many unique users and their names touched each url (values of url field) in a 5 minutes timeframe
you can expand and see overtime:
... your search ... (user=a OR user=b OR user=c) (url=1 OR url=2 OR url=3) | timechart span=5m dc(user) as unique_users by url

hope it helps

How do you find common information between two users in a proxy log?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How do you find common information between two users in a proxy log?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...