I use this for a report that generates every morning to show me what happened yesterday.
cat_desc!="" | chart count by cat_desc | sort -count | rename cat_desc as Categories
This will show the categories and how many hits per category. To get a good view of what is going on in a specific category I use the follow example.
cat_desc="Adult Materials" | fields src,hostname,url | collect
That will show from which computer it came from, the server, and the url.
If you have your DHCP logs in to Splunk, you can combine the results. The following will shoud you the Source IP, Source Computer, Website, and URL.
cat_desc="Pornography" | join src,date_mday [search sourcetype="DhcpSrvLog" NOT desc="Expired"] | fields src,src_host,hostname,url | collect | rename src as IpAddress | rename src_host as Computer | rename hostname as WebSite | rename url as URL
Hope these examples help.
... View more