Simple splunk table question

mjh · ‎09-01-2023

I am new to Splunk so I'm learning and I know that it can do quite a bit. I am searching for similar network traffic for users based on our proxy indexes. I want to know if there is a particular site visited by all of the users in our list of 50 or so. so user and url are necessary. I need to pull it from all of their data in our network proxy though. here is a redacted portion of a search I have honed down to but feel free to suggest something better.

Edit to provide a clear question: The below search doesn't work, can you provide a different search or edits that would assist me in getting the data I'm looking for?

index=<network one> <userID> IN (userID1,userID2) AND url=* | stats dc(userID) as count by url | where count=2

gcusello · ‎09-02-2023

Hi @mjh,

what is your question?

if you want to know if the solution you shared is correct, you are the one that can perform the check: have you results?

if yes, it's correct, if not, you have to debug, probably there some error in fields extractions.

Ciao.

Giuseppe

Simple splunk table question

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

Simple splunk table question

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!