How to automatically initiate second search using ...

Itsecuser1 · ‎01-23-2022

index=logs appname="nameofapp " url=somewebsitenamestring | stats count by user | sort - count | where count > 100

I would get results of 5 users and i want to initiate a different search using the results , can you let me know how i can do it

index=logs appname="appname " user="here i need those 5 user names found in the results to be inserted " url=*somewebsitenamestring | table _time user url

I would prefer to receive 5 individual csv files for each user rather than one file with all 5 user data.

Thanks for your help , please let me know if this is possible

ITWhisperer · ‎01-23-2022

index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
|   table _time user url

Itsecuser1 · ‎01-23-2022

Thanks a lot , i am able to view the results of the user , but i am not able to see a statistics table sorted by the user with the highest count , please can you let me know if it is possible to display the table

Also is it possible to generate a CSV file for each individual user with the highest count ( higher than 100) as part of an alert or as a report

ITWhisperer · ‎01-23-2022

index=logs   appname="appname url=*somewebsitenamestring   
 [ search index=logs  appname="nameofapp " url=somewebsitenamestring     |  stats count by user | where count > 100 | table user ]
| eventstats count by user
| sort -count
| table _time user url count

I don't think you can generate a csv file for each user, you can generate a csv file but it would contain all the results.

How to automatically initiate second search using the results of the first search

count

other

stats

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?