Searching for a specific users browsing history

redfan9 · ‎01-29-2021

I am a newbie to Splunk and am trying to find out what query I can use to find a specific users browsing history for a specific date and time. We use Palo Alto for our firewall.

ekenne06 · ‎01-30-2021

So this really depends on how your splunk instance has been built out. Ideally you have your data separated into proper indexes/sources/sourcetypes. Then those source types have the proper field extractions so you can search on the data. I will demonstrate the possible step below for if your instance is built out properly:

The first thing you need to figure out is which index is this data in? a quick way to test your available indexes is to set your time window to 15mins -60mins depending on your volume. then do a index =* (don't do this all the time or your splunk admins will be angry).

Once your search returns parse through the values returned in the interesting fields section, specifically Index, Source, Sourcetype. I imagine your source would be the host name of your firewall. Select that host and then in your time range select the window you are interested in. Hopefully at this point you have some data returning. Then in your interesting fields there might be a value for the user you are looking for, again this depends on your field extractions.

Let me know how far you get in this!

Searching for a specific users browsing history

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life