I am running the following search looking for a user who logins in from multiple cities within a five minute time period.
index=foo
| bin span=5m _time
| dedup src
| iplocation src
| stats count by _time City src user
| sort -count
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user
| where City_Count > 3
| sort -Total
| table _time user City IP
Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?
Thx
The stats
command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats
or streamstats
.
Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .
bye.
Giuseppe
Giuseppe,
Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.
The stats
command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats
or streamstats
.
Thx Rich
On a separate note, will the | bin span=5m _time
get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?
Thx again
It depends on what you want to accomplish. This should be a separate question.
Thx - will post as a separate question