Splunk User Behavior Analytics
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use streamstats for different time window and different users

TheKellind
New Member
‎08-07-2020 01:27 AM

Hi,

I am trying to build a table that counts different processes that occurred for a particular users in a 5 minute widow before the crash. I need that to analyze user behavior and reason behind the crash. I am using UberAgent data for this.

I have a search that shows events before the crash, the challenge is to combine different users with different 5 minute windows into one table. My raw data has time and event columns, I am looking for a way to introduce time filter per user:

timeeventtime filter
01:05crash_event_user_1 
01:04:59event_user_1include
01:04:58event_user_1include
01:04:42event_user_1include
01:04:31event_user_1include
01:02:30event_user_1include
01:01:25event_user_1include
12:59:25event_user_1exclude
12:58:25event_user_1exclude
01:03crash_event_user_2 
01:02:59event_user_2include
01:02:58event_user_2include
01:02:42event_user_2include
12:48:25event_user_2include
12:47:25event_user_2exclude
12:46:25event_user_2exclude


Which commands you think can be useful in creating the searches?

Is there a use e.g. for streamstats in narrowing the 5 minute window? Might using window parameter help

 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:04 AM

can you provide one sample event.

————————————
If this helps, give a like below.
0 Karma
Reply

TheKellind
New Member
‎08-10-2020 02:37 AM
TypeFieldValue
SelectedhostSI38-FAA0401035
 sourceuberAgent
 sourcetypeuberAgent:Application:Errors
EventAdDomainDns 
 AdOuCloud/Servers/Global/Virtual Workspace/SNG/SI38/POD4a
 AdSiteSingapore
 AppIdMsOffc
 AppNameMicrosoft Office
 AppVersion16.0.11929.20776
 CPUCoresLogical8
 CPUCoresPhysical8
 CPUMaxMhz2095
 CPUNameIntel(R) Xeon(R) Gold 6152 CPU @ 2.10GHz
 CPUSockets4
 CtxDeliveryGroupNameGlobal_Win2016_Desktops_STD
 CtxFarmNameSI38_POD4a
 CtxMachineCatalogNameGlobal_ESX_Desktops_SI38_POD4a_CHS1
 ErrorType1
 ErrorTypeNameCrash
 ExceptionCode0xc0000005
 FaultOffset0x0000000000065573
 HwIsVirtualMachine1
 HwManufacturerVMware, Inc.
 HwModelVMware7,1
 Ipv4Address10.91.32.147
 IsBatteryPresent0
 ModuleNamentdll.dll
 ModulePathC:\Windows\SYSTEM32\ntdll.dll
 ModuleTimestamp2020-04-08 11:22:46.000 +0800
 ModuleVersion10.0.14393.3630
 OsBuild14393
 OsTypeTerminal Server
 OsUpdateBuildRevision3808
 OsVersion10
 ProcGUID47a3a19d-786e-4e94-00fe-83135b186c58
 ProcID20116
 ProcLifetimeMs3139615
 ProcNamelync.exe
 ProcPathC:\Program Files\Microsoft Office\root\Office16\lync.exe
 ProcTimestamp2020-05-08 09:22:49.000 +0800
 ProcUserXXX
 ProcVersion16.0.11929.20776
 RAMSizeGB64
 SessionGUID00000003-912c-c4ef-ade4-af41c76ed601
 Timestamp1.59703E+12
 destSI38-FAA0401035
Time_time2020-08-10T06:31:43.794+02:00
Defaultindexapp_uberagent_nonsec_int_sg
 linecount1
 punct,,.,:\_\_\\\.,...,--_::._+,.,:\\\.,...,--_::._+,,,
 splunk_server

 

 

Crashes I need to analyze are shown in the uberAgent:Application:Errors sourcetypes but the table with counts of e.g. ModuleName per user needs o have all sources available.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...