Splunk Search

Join two searches and drilldown

mdavis43
Path Finder

I have two source types, one (A) has Active Directory information, user id, full name, department. The other (B) contains a list of files from the filesystem on our NAS, user ids, file names, sizes, dates.

I want to be able to sort the list (A) of files by a user id, and correlate back to a department (B)

I'd also like to be able to drill down from a column graph, click on user id, see what files and what sizes they have. Any way to do this in Splunk? This is more like business intelligence than simple log searching.

Tags (1)
0 Karma

lguinn2
Legend

Yep, all of this is possible with Splunk. The community could provide a better, clearer answer if you asked a more definite question, but here are some ideas.

First, I would put the AD info into a lookup table. You could update this lookup regularly - you could even update the lookup by running a search.

Then the list of files would be easy to set up as follows:

sourcetype=filelist 
| lookup AD_lookup userId OUTPUT deptName userName
| sort deptName userName fileName
| table deptName userName fileName fileSize lastUpdated

Of course, you might want a completely different report, or a summary report. But once you have the report, you can put it on a dashboard. And from a dashboard, you can customize the drill-down.

Also, remember that Splunk searches data based on a timestamp - all events must have a time (or else Splunk will assign a time). You should consider the time parameters of your search.

The Splunk Tutorial covers everything through creating lookups and building a dashboard. Drill-downs from a dashboard (using simple XML) are discussed in the Dashboards and Visualizations manual. Given both a bit of experience in Splunk and a reasonable knowledge of the data, I would expect that this could be constructed in a few hours at most.

Finally, you might want to pick up a copy of the book Exploring Splunk - which is available as a free ebook or as hardcopy from Amazon or Splunk. This book will give you a lot of ideas about what you can do with Splunk.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...