Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to query for a users internet history activity

cwright757
New Member
‎04-10-2020 09:35 AM

I have this query:

search index="paloaltologs" user="*UserName" | table _time, user, url, action

However it doesn't appear to return the desired data - which is a table of the following:

EventDate / username / URL Visited / Allowed

Query seems to return everything except for the traffic that I want to view which is simply internet history and not internal network traffic. Please help!

0 Karma
Reply

DalJeanis
Legend
‎04-10-2020 02:26 PM

Okay, so here are the debug steps that I would start with.

1) Go actually DO whatever it is you are trying to detect. For example, go browse a website. (If you don't have access, then find a single user who does, and have them do this step.)

2) Now you know one event - yours - that should absolutely be in those logs. Go find it.

Suppose your user name is CXW, search across the fifteen minute interval where you just browsed the web, and do this...

index="paloaltologs" CXW

Do not limit the search more than that. You want to be absolutely sure the records are in that index, and see any other records that you might want to get rid of.

3) Now start reducing the search, one step at a time, until you get only the record(s) you are interested in. Eventually , you will end up with a search that looks close to what you originally had, with one or two differences. Then you'll know what the prior mistake was.

0 Karma
Reply

DalJeanis
Legend
‎04-10-2020 12:08 PM

If you can give an example of what it does return that is correct, and one example of what it returns that is incorrect, then we can help you more.

0 Karma
Reply

cwright757
New Member
‎04-10-2020 12:33 PM

See below... I'm getting everything but the desired result which is just HTTP traffic...

Apr 10 15:17:21 SERVERNAME 1,2020/04/10: 15:17:21,001701015474,TRAFFIC,end,2305,2020/04/10 15:17:21,10.122.32.37,10.122.32.11,0.0.0.0,0.0.0.0,Zone Serveurs,DOMAIN\USERNAME,,dns,vsys1,Zone_Serveurs,Zone_Serveurs,ethernet1/1,ethernet1/1,ORG_LNF_SPLUNK,2020/04/10 15:17:21,395726,1,55482,53,0,0,0x19,udp,allow,464,166,298,4,2020/04/10 15:16:49,30,any,0,42206599365,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,2,aged-out,0,0,0,0,,SERVERNAME,from-policy,,,0,,0,,N/A,0,0,0,0,a91acf34-1547-4075-8c84-8c26d0469102,0,0,,,,,,,

action =    allowed 
host =  spm1052 
index = paloaltologs    
source =    /logs/paloalto.log  
sourcetype =    pan:traffic 
type =  TRAFFIC 
user =  DOMAIN\USERNAME
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top