Hi, I'm new to Splunk so any help would be greatly appreciated. I'm trying to do two different things, and I'm not quite sure how it's done. I need to be able to do a count of how many times a user made modifications on a specific server, but an hour break between modification is count as a different instance. I also need to be able to sort the data, so it'll show the Location, Server Name, Username, and the count.
I'm able to use the stats count to sort and give me a count of the instance, but I don't know how to combine multiple instances on a specific server by a user if they are not more than 1 hour apart.
Thanks.
Here's what the logs look like:
Security,Sep 3, 2012 8:33:48 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago,
Security,Sep 12, 2012 10:54:26 AM EDT, jsmith Security:4624, 192.10.2.59, printserver, Seattle
Security,Sep 3, 2012 8:33:47 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago
Security,Sep 12, 2012 10:54:26 AM EDT, jsmith Security:4624, 192.10.2.59, printserver, Seattle
Security,Sep 3, 2012 8:40:48 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago
Security,Sep 12, 2012 10:59:26 AM EDT, jsmith Security:4624, 192.10.1.59, printserver, Seattle
Security,Sep 3, 2012 8:50:47 PM EDT, jdoe Security:4624, 192.10.2.21, fileserver, Chicago
Security,Sep 12, 2012 11:02:26 AM EDT, jsmith Security:4624, 192.10.1.59, printserver, Seattle
Here's what I want to be able to see:
Location User IP Date Count
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:33 PM EDT 2
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:40 PM EDT 1
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:50 PM EDT 1
Chicago jsmith 192.10.2.59 Sep 12, 2012 10:54 AM EDT 2
Chicago jsmith 192.10.2.59 Sep 12, 2012 10:59 AM EDT 2
It definitely sounds like you should be looking into using transaction
with the maxpause
parameter. It will output the field eventcount
that you can use as your count.
... | transaction maxpause=1h Location User IP | eval Count=eventcount | eval Date=_time | table Location User IP Date Count
I'm sorry I don't follow what you want to achieve. Could you please explain it more clearly?
I still see a couple of instances where the time is within the maxpause, but it's not combining the count.
Using the the answer provided above, can I use the information from the "Date" field and have splunk combine add a count if the "Date" difference is less then 300. The information display with the "Date" field shows 10 digit number.
dammit! too fast for me... 🙂
I've look at the transaction command, but that didn't seem to be able to what I want.
please tell us more about the log data in question.
Other than that, have you looked at the transaction
command?