Splunk Search
Highlighted

User data collapsed with activity information collected in separate statements

Explorer

My app writes two log statements, audit and activity statement, for each invocation as below:

audit:
type:audit | tid:123 | userid:abc

activity:
type:activity | tid:123 | action:login

Need is to get a sense of what the user has done by displaying the userid and collapsing the action into a table.

What I tried so far is to define a transaction on audit log and collapsed all tid for a given user which displays data as below:

userid | tid

abc | 123
| 345

| 876

xyz | 793
| 438

How to show action values from activity instead of tid ?

Tags (2)
0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

SplunkTrust
SplunkTrust

What is your current search statement?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Explorer
index=webapp host=pxdtp00* AND audit* | transaction UserId | table UserId TxnId | join TxnId [search index=webapp host=pxdtp00* activity* | stats Action by TxnId ] | table UserId Action TxnId

search before join collapses all txnId fields for a given user. Next search is not able to complement action into the mix.

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Legend

Try this (assuming all fields have been extracted)

index=webapp host=pxdtp00* (audit* OR activity*) | rex "(?<Action>audit|activity)"  | stats values(Action) as Action by UserId TxnId | mvexpand Action

UPDATED to include field extraction

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Legend

Try the updated query. I modified it to include field extraction.

0 Karma
Highlighted

Re: User data collapsed with activity information collected in separate statements

Explorer

This query is getting results as wanted.

index=webapp host=host* AND IntegrationFrameworkV01 AND audit* |  dedup TxnId | table UserId TxnId | join TxnId [search index=webapp host=host* AND IntegrationFrameworkV01 AND client:* | eval Date_Time = strftime(_time, "%m/%d/%y %H:%M:%S")  | stats values(Action) as Action sum(eval(ReqLatency + AppLatency + ResLatency)) as Latency by TxnId HttpCode Date_Time  ]  | stats list(Action) as Action list(Latency) as Latency list(HttpCode) as HttpCode list(Date_Time) as DateTIme by UserId  | table UserId Action DateTIme Latency HttpCode

Job indicates,

'stats' command: limit for values of field 'DPIFAction' reached. Some values may have been truncated or ignored.

How to stop truncating results ?

0 Karma