Sorry for my late reply, I am new on Splunk, any help is a massive step forward. Thank you in advance.
I am trying to configure two dashboards showing us a daily picture of:
Web Pages visited Account (user name) Division Time of visit
Basically who is looking at what when.
Presently, I have created two dashboard - one for lan access and one for vpn access
The search below, in order to display who, what, div and time should be joined with the index rsa created from a csv file.
Vpn Access
index="access_combined_apache" Source_IP !=10.3.36.65 AND Source_IP !=10.3.* AND Source_IP !=localhost AND Source_IP !=127.0.0.1 AND Source_IP !=146.247* AND Source_IP !=- AND uri_path !=/access-denied.html AND uri_path !=.ico AND uri_path !=.png AND uri_path !=.gif AND uri_path !=.jpg AND uri_path !=.js AND uri_path !=.css AND uri_path !=.jsp AND uri_path !=.pdf AND uri_path !=.ico AND uri_path !=.html AND uri_path !=/image AND uri_path !=/c/* AND uri_path !=/c AND uri_path !=/image/* AND uri_path !=/template* AND uri_path !=/documents* | rename Source_IP as Client_Address| rename uri_path as Web_page_Visited|dedup Web_page_Visited Client_Address| table Client_Address Web_page_Visited _time
Result
Address VPN, Page, Time
index="rsa" | table Account_Name Division Computer_Network_Address - File csv with import time that would be ignored
1Mario Rossi ABC 172.16.00.12
2 David Brown CBB 172.16.11.22
.
.
.
571 Fabrizio White BCA 172.16.00.3
Results: Name, Division, Address VPN
The 2nd search for the dashboard referring to the LAN should be the combination of the follow index/source
Internal Network (only) –
index="access_combined_apache" Source_IP !=10.3.36.65 AND Source_IP !=localhost AND Source_IP !=172* AND Source_IP !=127.0.0.1 AND Source_IP !=146.247* AND Source_IP !=- AND uri_path !=/access-denied.html AND uri_path !=.ico AND uri_path !=.png AND uri_path !=.gif AND uri_path !=.jpg AND uri_path !=.js AND uri_path !=.css AND uri_path !=.jsp AND uri_path !=.pdf AND uri_path !=.ico AND uri_path !=.html AND uri_path !=/image AND uri_path !=/c/* AND uri_path !=/c AND uri_path !=/image/* AND uri_path !=/template* AND uri_path !=/documents* | rename Source_IP as Client_Address| rename uri_path as Web_page_Visited|dedup Web_page_Visited Client_Address| table Client_Address Web_page_Visited _time
Result Client(ip) Page Visited Time (no Account Name)
User Access - The index"main" is referring to Active Directory
index="access_combined_apache" Source_IP !=10.3.36.65 AND Source_IP !=localhost AND Source_IP !=- AND Source_IP !=localhost AND Source_IP !=127.0.0.1 AND Source_IP !=146.247* | eval Source_Network_Address=Source_IP | table Source_Network_Address | JOIN[search index="main" | dedup Account_Name | table Source_Network_Address Account_Name] | dedup Account_Name | table Account_Name Source_Network_Address
Result Account_Name Network_Address
index="main" source=ActiveDirectory division="" displayName="" | dedup displayName | table displayName division
1 Giovanni Verdi BCF
.
.
1200 Paolo Brown ALLalt text
Result Display Name Division
... View more