Splunk Search

How to create a table with raw events after stats?

jwalzerpitt
Influencer

I am running the following search looking for a user who logins in from multiple cities within a five minute time period.

index=foo
| bin span=5m _time 
| dedup src 
| iplocation src 
| stats count by _time City src user 
| sort -count 
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user 
| where City_Count > 3
| sort -Total 
| table _time user City IP

Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?

Thx

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .

bye.
Giuseppe

jwalzerpitt
Influencer

Giuseppe,

Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

jwalzerpitt
Influencer

Thx Rich

On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?

Thx again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what you want to accomplish. This should be a separate question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jwalzerpitt
Influencer

Thx - will post as a separate question

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...