Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join two searches and drilldown

mdavis43
Path Finder
‎03-03-2014 03:29 PM

I have two source types, one (A) has Active Directory information, user id, full name, department. The other (B) contains a list of files from the filesystem on our NAS, user ids, file names, sizes, dates.

I want to be able to sort the list (A) of files by a user id, and correlate back to a department (B)

I'd also like to be able to drill down from a column graph, click on user id, see what files and what sizes they have. Any way to do this in Splunk? This is more like business intelligence than simple log searching.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-03-2014 08:47 PM

Yep, all of this is possible with Splunk. The community could provide a better, clearer answer if you asked a more definite question, but here are some ideas.

First, I would put the AD info into a lookup table. You could update this lookup regularly - you could even update the lookup by running a search.

Then the list of files would be easy to set up as follows:

sourcetype=filelist 
| lookup AD_lookup userId OUTPUT deptName userName
| sort deptName userName fileName
| table deptName userName fileName fileSize lastUpdated

Of course, you might want a completely different report, or a summary report. But once you have the report, you can put it on a dashboard. And from a dashboard, you can customize the drill-down.

Also, remember that Splunk searches data based on a timestamp - all events must have a time (or else Splunk will assign a time). You should consider the time parameters of your search.

The Splunk Tutorial covers everything through creating lookups and building a dashboard. Drill-downs from a dashboard (using simple XML) are discussed in the Dashboards and Visualizations manual. Given both a bit of experience in Splunk and a reasonable knowledge of the data, I would expect that this could be constructed in a few hours at most.

Finally, you might want to pick up a copy of the book Exploring Splunk - which is available as a free ebook or as hardcopy from Amazon or Splunk. This book will give you a lot of ideas about what you can do with Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...