Splunk Search

How to automatically initiate second search using the results of the first search

Itsecuser1
New Member

index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | sort - count | where count > 100

I would get results of 5 users and i want to initiate a different search using the results ,  can you let me know how i can do it 

index=logs   appname="appname  " user="here i need those 5 user names  found in the results to be inserted   "    url=*somewebsitenamestring   |   table _time user url  

I would prefer to receive 5 individual csv files for each user rather than one file with all 5 user data.

 

Thanks for your help , please let me know if this is possible 

 

 

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
|   table _time user url
  
0 Karma

Itsecuser1
New Member

Thanks a lot , i am able to view the results of the  user  , but i am not able to see a statistics table sorted by the user with the highest  count  , please can you let me know if it is possible to display the table 

Also is it possible to generate a CSV file for each individual user with the highest count ( higher than 100)  as part of an alert or as a report 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
| eventstats count by user
| sort -count
| table _time user url count

I don't think you can generate a csv file for each user, you can generate a csv file but it would contain all the results.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...