Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Top 10 user then based on these 10 user to search again by date

simontam
Explorer
‎07-10-2014 02:40 AM

I am quite new to Splunk search query. I have collected traffic logs from paloalto firewall. I want to have the Top 10 user monthly report which sum up the total byte size and sessions by a month. I have done the below search to get our expected result.

index=pan_logs sourcetype=pan_traffic | stats sum(bytes) as totalbytes, count(session_id) as Sessions by src_user | eval "Total Size"=formatbytes(totalbytes)| sort -totalbytes | table src_user "Total Size" Sessions | head 10

On the other way, I need to divided the results by days. The below search a specific user and divides the total bytes and sessions per day.

index=pan_logs sourcetype=pan_traffic src_user="user1" | eval time=strptime(generated_time,"%Y/%m/%d %H:%M:%S")| bucket time span=1d | stats sum(bytes) as totalbytes, count(session_id) as Sessions by time | eval "Total Size"=formatbytes(totalbytes)| eval Date=strftime(time, "%d/%m/%Y") | sort -Date | table Date "Total Size" Sessions

I would like the 2nd search to know the TOP 10 users and get the result of "divided by date" on that TOP 10 users.
My wordings seems confusing. What i need to achieve is to get Monthly Top 10 Users and their total size and sessions per day.

Can anyone give me some hints on it?

Thanks in advance.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-10-2014 07:03 AM

Give this a try

index=pan_logs sourcetype=pan_traffic 
| eval Date=strftime(strptime(generated_time,"%Y/%m/%d %H:%M:%S"), "%d/%m/%Y")
| stats sum(bytes) as totalbytes, count(session_id) as Sessions by Date,src_user
| eventstats sum(totalbytes) as TotalUserBytes by src_user
| sort -TotalUserBytes
| streamstats window=1 current=f first(TotalUserBytes) as prevTotalUserBytes
| eval sno=if(isnull(prevTotalUserBytes) OR prevTotalUserBytes!=TotalUserBytes,1,0) 
| accum sno | where sno < 11 
| fields - TotalUserBytes,prevTotalUserBytes,sno
| sort Date,src_user

View solution in original post

Reply
Solved! Jump to solution

simontam
Explorer
‎07-10-2014 07:07 PM

Thanks somesoni2. The result is exactly what I want. You are the man. I think i have to change my thinking way of search.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎07-10-2014 07:03 AM

Give this a try

index=pan_logs sourcetype=pan_traffic 
| eval Date=strftime(strptime(generated_time,"%Y/%m/%d %H:%M:%S"), "%d/%m/%Y")
| stats sum(bytes) as totalbytes, count(session_id) as Sessions by Date,src_user
| eventstats sum(totalbytes) as TotalUserBytes by src_user
| sort -TotalUserBytes
| streamstats window=1 current=f first(TotalUserBytes) as prevTotalUserBytes
| eval sno=if(isnull(prevTotalUserBytes) OR prevTotalUserBytes!=TotalUserBytes,1,0) 
| accum sno | where sno < 11 
| fields - TotalUserBytes,prevTotalUserBytes,sno
| sort Date,src_user
Reply
Solved! Jump to solution

simontam
Explorer
‎07-28-2014 12:15 AM

The result is super perfect. But I was requested to show the username only once in the report. Like:

abc\user1 01/07/2014 3.62 GB 15320 46.99 GB
02/07/2014 2.46 GB 12954 46.99 GB
03/07/2014 3.62 GB 18994 46.99 GB
abc\user2 01/07/2014 2.92 GB 336094 37.83 GB
03/07/2014 2.96 GB 353829 37.83 GB
04/07/2014 2.44 GB 278589 37.83 GB

Is it possible?

0 Karma
Reply
Solved! Jump to solution

simontam
Explorer
‎07-28-2014 12:15 AM

Sorry for my typo. I was looking the possibility to show the results which grouped by username.

By your help, i can get something like below:
abc\user1 01/07/2014 3.62 GB 15320 46.99 GB
abc\user1 02/07/2014 2.46 GB 12954 46.99 GB
abc\user1 03/07/2014 3.62 GB 18994 46.99 GB
abc\user2 01/07/2014 2.92 GB 336094 37.83 GB
abc\user2 03/07/2014 2.96 GB 353829 37.83 GB
abc\user2 04/07/2014 2.44 GB 278589 37.83 GB

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎07-11-2014 06:20 AM

I am not sure I get what you need here. Could you provide more information?

0 Karma
Reply
Solved! Jump to solution

simontam
Explorer
‎07-10-2014 09:57 PM

@somesoni2 If I soft the src_user first, is it possible to show only once the username?

0 Karma
Reply
Solved! Jump to solution

simontam
Explorer
‎07-10-2014 07:07 PM

Thanks somesoni2. The result is exactly what I want. You are the man. I think i have to change my thinking way of search.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...