Splunk Search
Highlighted

User data collapsed with activity information collected in separate statements

Explorer

My app writes two log statements, audit and activity statement, for each invocation as below:

audit:
type:audit | tid:123 | userid:abc

activity:
type:activity | tid:123 | action:login

Need is to get a sense of what the user has done by displaying the userid and collapsing the action into a table.

What I tried so far is to define a transaction on audit log and collapsed all tid for a given user which displays data as below:

userid | tid

abc | 123
| 345

| 876

xyz | 793
| 438

How to show action values from activity instead of tid ?

Tags (2)
0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

SplunkTrust
SplunkTrust

What is your current search statement?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Explorer
index=webapp host=pxdtp00* AND audit* | transaction UserId | table UserId TxnId | join TxnId [search index=webapp host=pxdtp00* activity* | stats Action by TxnId ] | table UserId Action TxnId

search before join collapses all txnId fields for a given user. Next search is not able to complement action into the mix.

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Legend

Try this (assuming all fields have been extracted)

index=webapp host=pxdtp00* (audit* OR activity*) | rex "(?<Action>audit|activity)"  | stats values(Action) as Action by UserId TxnId | mvexpand Action

UPDATED to include field extraction

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Legend

Try the updated query. I modified it to include field extraction.

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Explorer

This query is getting results as wanted.

index=webapp host=host* AND IntegrationFrameworkV01 AND audit* |  dedup TxnId | table UserId TxnId | join TxnId [search index=webapp host=host* AND IntegrationFrameworkV01 AND client:* | eval Date_Time = strftime(_time, "%m/%d/%y %H:%M:%S")  | stats values(Action) as Action sum(eval(ReqLatency + AppLatency + ResLatency)) as Latency by TxnId HttpCode Date_Time  ]  | stats list(Action) as Action list(Latency) as Latency list(HttpCode) as HttpCode list(Date_Time) as DateTIme by UserId  | table UserId Action DateTIme Latency HttpCode

Job indicates,

'stats' command: limit for values of field 'DPIFAction' reached. Some values may have been truncated or ignored.

How to stop truncating results ?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.