I am trying to map a users activity once they've logged into a vdi session to when they log into a specific application. My search is as follows: I have tried using the return, fields + and join commands to make this work. Each search returns values individually but together I get nothing. Thoughts?
Searches:
Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time
OR
Index=* user=xxx* computer=vdi* [search sourcetype=something user=user1 event=*"logged"* | return 100 user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time
OR
Index=* user=xxx* computer=vdi*| join user max=0 [search sourcetype=something user=user1 event=*"logged"* | fields + user, event] | eval hostname=coalesce(computer, host) | table _time, user, hostname, event |sort 0 -_time
updated to mark code
This is your first query. The only thing I've changed is to switch from fields
to table
and then added dedup
.
index=* user=xxx* computer=vdi*
[ search sourcetype=something user=user1 event="*logged*"
| table user, event | dedup user, event]
| eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time
The table
command eliminates all fields except the ones listed, whereas the fields
command leaves some internal fields like _time
, which after it goes through the implicit format
command at the end of the subsearch (when it hits the close bracket ]
), is going to mess with retrieving the records .
To see the difference, compare the output of these -
sourcetype=something user=user1 event="*logged*"
| fields + user, event
| format
sourcetype=something user=user1 event="*logged*"
| table user, event
| format
Updated to include the asterisks that the interface had removed from OP's search
Unfortunately, neither of these suggestion worked. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login? assuming the VDI login ID for the user may differ from the application user ID?
Okay, I marked your code as code, so the asterisks showed up. I updated my code to include them.
"Did not work" doesn't give us anything to go on. Please be very specific about what does or does not occur. Did the last two samples produce any results? Did the difference make sense to you?
My apologies. I meant the searches came back empty when I run each option you mentioned. If i separate the subsearch from the main search, it returns values but not together.
index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time
OR
index=* user=xxx* computer=vdi* [ search sourcetype=something user=user1 event="logged"
| fields+ user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time
Additionally, when I use the join command shown below it only gives me the main search. I need it to do a comparison between the user in the subsearch and pull only corresponding results from the main search specific to that users activities. Sometimes the user may be different from the user within the subsearch.
index=* user=xxx* computer=vdi* | join user type=left [ search sourcetype=something user=user1 event="logged"
| table user, event | dedup user, event] | eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 - _time
Hi scc00,
try something like this
index= user=xxx computer=vdi*
| join user type=left [search sourcetype=something user=user1 event="logged" | fields user event ]
| eval hostname=coalesce(computer, host)
| table _time, user, hostname, event
| sort 0 -_time
Bye.
Giuseppe
Thanks Giuseppe, so this only gives me one side of the data. I am trying to link user logins to user application activity. I am having some trouble bringing the two pieces together. Any thoughts around the best method to link the user login with the user application login?