Splunk Search

How to create a table with raw events after stats?

jwalzerpitt
Motivator

I am running the following search looking for a user who logins in from multiple cities within a five minute time period.

index=foo
| bin span=5m _time 
| dedup src 
| iplocation src 
| stats count by _time City src user 
| sort -count 
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user 
| where City_Count > 3
| sort -Total 
| table _time user City IP

Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?

Thx

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
Legend

Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .

bye.
Giuseppe

jwalzerpitt
Motivator

Giuseppe,

Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

jwalzerpitt
Motivator

Thx Rich

On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?

Thx again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what you want to accomplish. This should be a separate question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jwalzerpitt
Motivator

Thx - will post as a separate question

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...