Splunk User Behavior Analytics
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use streamstats for different time window and different users

TheKellind
New Member
‎08-07-2020 01:27 AM

Hi,

I am trying to build a table that counts different processes that occurred for a particular users in a 5 minute widow before the crash. I need that to analyze user behavior and reason behind the crash. I am using UberAgent data for this.

I have a search that shows events before the crash, the challenge is to combine different users with different 5 minute windows into one table. My raw data has time and event columns, I am looking for a way to introduce time filter per user:

timeeventtime filter
01:05crash_event_user_1 
01:04:59event_user_1include
01:04:58event_user_1include
01:04:42event_user_1include
01:04:31event_user_1include
01:02:30event_user_1include
01:01:25event_user_1include
12:59:25event_user_1exclude
12:58:25event_user_1exclude
01:03crash_event_user_2 
01:02:59event_user_2include
01:02:58event_user_2include
01:02:42event_user_2include
12:48:25event_user_2include
12:47:25event_user_2exclude
12:46:25event_user_2exclude


Which commands you think can be useful in creating the searches?

Is there a use e.g. for streamstats in narrowing the 5 minute window? Might using window parameter help

 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-07-2020 07:04 AM

can you provide one sample event.

————————————
If this helps, give a like below.
0 Karma
Reply

TheKellind
New Member
‎08-10-2020 02:37 AM
TypeFieldValue
SelectedhostSI38-FAA0401035
 sourceuberAgent
 sourcetypeuberAgent:Application:Errors
EventAdDomainDns 
 AdOuCloud/Servers/Global/Virtual Workspace/SNG/SI38/POD4a
 AdSiteSingapore
 AppIdMsOffc
 AppNameMicrosoft Office
 AppVersion16.0.11929.20776
 CPUCoresLogical8
 CPUCoresPhysical8
 CPUMaxMhz2095
 CPUNameIntel(R) Xeon(R) Gold 6152 CPU @ 2.10GHz
 CPUSockets4
 CtxDeliveryGroupNameGlobal_Win2016_Desktops_STD
 CtxFarmNameSI38_POD4a
 CtxMachineCatalogNameGlobal_ESX_Desktops_SI38_POD4a_CHS1
 ErrorType1
 ErrorTypeNameCrash
 ExceptionCode0xc0000005
 FaultOffset0x0000000000065573
 HwIsVirtualMachine1
 HwManufacturerVMware, Inc.
 HwModelVMware7,1
 Ipv4Address10.91.32.147
 IsBatteryPresent0
 ModuleNamentdll.dll
 ModulePathC:\Windows\SYSTEM32\ntdll.dll
 ModuleTimestamp2020-04-08 11:22:46.000 +0800
 ModuleVersion10.0.14393.3630
 OsBuild14393
 OsTypeTerminal Server
 OsUpdateBuildRevision3808
 OsVersion10
 ProcGUID47a3a19d-786e-4e94-00fe-83135b186c58
 ProcID20116
 ProcLifetimeMs3139615
 ProcNamelync.exe
 ProcPathC:\Program Files\Microsoft Office\root\Office16\lync.exe
 ProcTimestamp2020-05-08 09:22:49.000 +0800
 ProcUserXXX
 ProcVersion16.0.11929.20776
 RAMSizeGB64
 SessionGUID00000003-912c-c4ef-ade4-af41c76ed601
 Timestamp1.59703E+12
 destSI38-FAA0401035
Time_time2020-08-10T06:31:43.794+02:00
Defaultindexapp_uberagent_nonsec_int_sg
 linecount1
 punct,,.,:\_\_\\\.,...,--_::._+,.,:\\\.,...,--_::._+,,,
 splunk_server

 

 

Crashes I need to analyze are shown in the uberAgent:Application:Errors sourcetypes but the table with counts of e.g. ModuleName per user needs o have all sources available.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...