Re: Search for first event

balcv · ‎07-09-2019

I would like to write a search of traffic data that will return _time,user,src_ip for the first occurrence. However, it is highly probably that a user will have multiple src_ip. (eg A user logins into a PC and a WiFi device).

So I am looking for a list of unique user / src_ip combinations showing the earliest instance the combination exists.

I currently have:

index="pan" (user="*\user1" AND > src_ip="192.168.*")

| stats earliest(_time) as firstEvent count by src_ip,user

| table firstEvent,user,src_ip

This returns the earliest combinations of user / src_ip disaplying the user and src_ip however I cannot get it to display the earliest _time each combination is found.

Many thanks.

woodcock · ‎07-10-2019

Try this:

index="pan" (user="*\user1" AND src_ip="192.168.*") 
| stats min(_time) as _time count last(_raw) As firstEvent by src_ip,user 
| table _time firstEvent,user,src_ip

woodcock · ‎07-10-2019

I do not understand your problem.

balcv · ‎07-10-2019

The problem is that I do not get any results for _time. The output includes the unique user / src_ip combinations but does not show the earliest time it was detected in the search results. The column for firstEvent is blank.

woodcock · ‎07-10-2019

Is that > supposed to be there? Why?

jawaharas · ‎07-10-2019

You query seems to working fine with my sample data. I wonder what is missing. Anyway, I have formatted 'firstEvent' field (from epoch format) for easy readability.

| <base_query>
| stats earliest(_time) as firstEvent count by src_ip,user 
| eval firstEvent=strftime(firstEvent,"%Y-%m-%d %H:%M:%S")
| table firstEvent,user,src_ip

FrankVl · ‎07-10-2019

Can you please make more clear what you want and how that is different from what you get? because the search you are showing does exactly that: for each user/src_ip combination, show the earliest(_time) and the count.

tiagofbmm · ‎07-10-2019

I think you need to look first into the user, which is the "static" part, and then look for each src_ip he has as it is dynamic:

Making it generic so you can get the results for any user and src_ip pair

index="pan" 
| stats earliest(_time) as firstEvent count by src_ip,user 
| table firstEvent,user,src_ip

This gives you the earliest time and count of each combination... Is this what you want? I'm not sure I'm not missing your goal here

FrankVl · ‎07-10-2019

That's the exact same search as was mentioned in the question (apart from dropping some of the filtering for user and src_ip fields)?

balcv · ‎07-10-2019

The problem is that I do not get any results for _time. The output includes the unique user / src_ip combinations but does not show the earliest time it was detected in the search results. The column for firstEvent is blank.

tiagofbmm · ‎07-10-2019

I understood the problem here was "each combination is found", where filtering on user AND src_ip would give just one. Anyway, that's why I asked for more clarification too, it's not clear whether we're missing the point

FrankVl · ‎07-10-2019

He's not filtering for specific user or IP, he's filtering for a certain pattern in both fields. But totally agree with you that the question is not very clear 🙂

Search for first event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation