Splunk Search

How to use stats dc and get last time of occurrence?

dieguiariel
Path Finder

Hi! im trying to detect multiple user access from the same source (same mobile device). Im feeding splunk with logs from a mobile app like this:

09:50:14,524 INFO [XXXXXXXXXXXX] (default task-XXXXXX) [ authTipoPassword=X, authDato=XXXXX, authTipoDato=X, nroDocEmpresa=X, tipoDocEmpresa=X, authCodCanal=XXX, authIP=XXX.XXX.XXX.XXX, esDealer=X, dispositivoID=XXXXXXXXXX, dispositivoOS=XXXXX ]

im using the following search

search XXXX |  stats dc(authDato) as count,values(authDato) as AuthDato by dispositivoID dispositivoOS authIP | where count > 1 | sort - count 

and get almost all the info i wanted (like two different users - authDato - from same deviceID (dispositivoID), but i would like to enrich the data with the last time of ocurrence for the event.

Is there a way to include this information? 

Thanks in advance.

Labels (3)
0 Karma

dieguiariel
Path Finder

Thanks! how can i get the value of "latest" on the results?

The table shows only

dispositivoID dispositivoOS authIP Country City count AuthDato

 

is it possible to get the latest time next to AuthDato?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

latest is the value of the timestamp of the latest event of each group of values.

If you don't see it in your results, please share your search because, using my search it's present.

Ciao.

Giuseppe

0 Karma

dieguiariel
Path Finder

hi sorry i didnt explain myself correctly, it shows the lasttime of lastocurrence of the grouped events, but i will like to show the last time of ocurrence of every item on the grouped list like this:

include the lastest time of ocurrence for 3546316, the latest time of 6320818 and so on.

 

dispositivoID dispositivoOS authIP count AuthDato latest

062FC4DB-034D-4CA3-B6BD-72C5A471F0AAiOSXXX.XXX.XXX.XXX3
3546319
 
 
 
6320818
 
 
7154705

2023-01-31 18:59:37

2023-01-31 17:45:36

2023-01-31

16:32:24

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dieguiariel,

you could add the latest option to ths tats command:

search XXXX 
|  stats 
   dc(authDato) AS count
   values(authDato) AS AuthDato 
   latest(_time) AS latest
   BY dispositivoID dispositivoOS authIP 
| where count > 1 
| sort - count 
| eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...