Splunk Search

sort and combine multiple lines if there's no pause

lauj
Observer

Hi, I'm new to Splunk so any help would be greatly appreciated. I'm trying to do two different things, and I'm not quite sure how it's done. I need to be able to do a count of how many times a user made modifications on a specific server, but an hour break between modification is count as a different instance. I also need to be able to sort the data, so it'll show the Location, Server Name, Username, and the count.

I'm able to use the stats count to sort and give me a count of the instance, but I don't know how to combine multiple instances on a specific server by a user if they are not more than 1 hour apart.

Thanks.

Here's what the logs look like:

Security,Sep 3, 2012 8:33:48 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago,        
Security,Sep 12, 2012 10:54:26 AM EDT,  jsmith Security:4624,   192.10.2.59,    printserver, Seattle                
Security,Sep 3, 2012 8:33:47 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago             
Security,Sep 12, 2012 10:54:26 AM EDT,  jsmith Security:4624,   192.10.2.59,    printserver, Seattle
Security,Sep 3, 2012 8:40:48 PM EDT,    jdoe    Security:4624,  192.10.1.21,    fileserver, Chicago         
Security,Sep 12, 2012 10:59:26 AM EDT,  jsmith Security:4624,   192.10.1.59,    printserver, Seattle                
Security,Sep 3, 2012 8:50:47 PM EDT,    jdoe    Security:4624,  192.10.2.21,    fileserver, Chicago         
Security,Sep 12, 2012 11:02:26 AM EDT,  jsmith Security:4624,   192.10.1.59,    printserver, Seattle    

Here's what I want to be able to see:

Location    User    IP      Date                Count
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:33 PM EDT     2
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:40 PM EDT     1
Seattle     Jdoe    192.10.1.21 Sep 3, 2012 8:50 PM EDT     1
Chicago     jsmith  192.10.2.59 Sep 12, 2012 10:54 AM EDT   2
Chicago     jsmith  192.10.2.59 Sep 12, 2012 10:59 AM EDT   2
Tags (1)
0 Karma

Ayn
Legend

It definitely sounds like you should be looking into using transaction with the maxpause parameter. It will output the field eventcount that you can use as your count.

... | transaction maxpause=1h Location User IP | eval Count=eventcount | eval Date=_time | table Location User IP Date Count

Ayn
Legend

I'm sorry I don't follow what you want to achieve. Could you please explain it more clearly?

0 Karma

lauj
Observer

I still see a couple of instances where the time is within the maxpause, but it's not combining the count.

Using the the answer provided above, can I use the information from the "Date" field and have splunk combine add a count if the "Date" difference is less then 300. The information display with the "Date" field shows 10 digit number.

0 Karma

kristian_kolb
Ultra Champion

dammit! too fast for me... 🙂

0 Karma

lauj
Observer

I've look at the transaction command, but that didn't seem to be able to what I want.

0 Karma

kristian_kolb
Ultra Champion

please tell us more about the log data in question.

Other than that, have you looked at the transaction command?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...