Splunk Search

How to create a table with raw events after stats?

jwalzerpitt
Influencer

I am running the following search looking for a user who logins in from multiple cities within a five minute time period.

index=foo
| bin span=5m _time 
| dedup src 
| iplocation src 
| stats count by _time City src user 
| sort -count 
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user 
| where City_Count > 3
| sort -Total 
| table _time user City IP

Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?

Thx

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .

bye.
Giuseppe

jwalzerpitt
Influencer

Giuseppe,

Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

jwalzerpitt
Influencer

Thx Rich

On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?

Thx again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what you want to accomplish. This should be a separate question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jwalzerpitt
Influencer

Thx - will post as a separate question

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...