Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About PHRaymond
PHRaymond
Explorer
Member since:
03-17-2012
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 03-17-2012 |
Activity Feed
- Karma Re: How can I catch the both the first and last occurance of an event? for Damien_Dallimor. 06-05-2020 12:46 AM
- Got Karma for Multiple sourcetypes in a search?. 06-05-2020 12:46 AM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 05:30 PM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 04:54 PM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 04:53 PM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 04:06 PM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 03:55 PM
- Posted Re: How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 03:51 PM
- Posted How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 02:06 PM
- Tagged How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 02:06 PM
- Tagged How can I catch the both the first and last occurance of an event? on Splunk Search. 03-18-2012 02:06 PM
- Posted Re: Multiple sourcetypes in a search? on Getting Data In. 03-17-2012 11:24 AM
- Posted Multiple sourcetypes in a search? on Getting Data In. 03-17-2012 10:17 AM
- Tagged Multiple sourcetypes in a search? on Getting Data In. 03-17-2012 10:17 AM
- Tagged Multiple sourcetypes in a search? on Getting Data In. 03-17-2012 10:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 |
03-18-2012
05:30 PM
I'm running some test scenarios and the first question that pops up is: how can I get the results to sort so that the "stop" column is ordered latest to earliest? (This is coming up as I experiment with using multiple sourcetypes to build a bigger picture; some proxy logs don't have a user but, say, a VPN log for the same IP might.)
... View more
03-18-2012
04:54 PM
(As for the why on that last, I use a macro that fills in everything after the IP for me automatically, so my methodology is to type/paste in the IP I'm looking for and then kick off the macro.)
... View more
03-18-2012
04:53 PM
Ok, now we're cooking with gas! I like "twice as fast" and "single pass" quite a bit, and I'm not wedded to the separate line idea; in fact, the columns makes even more sense.
So, combining this with Damien's time conversion, I've got:
sourcetype=proxy ip=192.168.1.1 | eval time=strftime(_time, "%d/%m/%y %H:%M:%S") | stats earliest(time) as start, latest(time) as stop by user,ip
I like it. Now, question, would this work as efficiently:
192.168.1.1 sourcetype=proxy | eval time=strftime(_time, "%d/%m/%y %H:%M:%S") | stats earliest(time) as start, latest(time) as stop by user,ip
... View more
03-18-2012
04:06 PM
I'm poking at GKC's answer now. I'm certainly open to better searches. That's why I'm here!
On yours, I try to run it and I get:
"Search operation 'sourcetype' is unknown. You might not have permission to run this operation."
That seems odd to me...
Unrelated, your " eval time=strftime(_time, "%d/%m/%y %H:%M:%S") " intrigues me. I've been using " convert ctime(_time) as timestamp " for what I think is the same purpose. Why might one use one over the other?
... View more
03-18-2012
03:55 PM
For example, on my prod box, running a 30 day query against an IP gives me 8 results using the transaction string you list, and 3 users. Removing it gives me 5,962 results, still 3 users. Why those 8 in the first and so many in the second? I need a confidence level that I'm not missing something.
I must go poke at this some more....
... View more
03-18-2012
03:51 PM
Hmmm. You got me to thinking with your comment "don't know quite what you're trying to do with the end search." I was so focused on the first/last time aspect that perhaps I was missing what I'm really after. If I just do my search against the first occurance in a time frame, the simple existence of a new user showing up means the prior user had to have logged off.
And I hadn't thought about the possibility of one user pulling the same IP in two sessions across a period of time!
So, transaction. Interesting. What precisely does that get me?
... View more
03-18-2012
02:06 PM
Scenario: figure out what user is using a given IP at a given point in time by using proxy logs, which captures the user's ID each time they visit a web page.
Right now I do two separate searches. This one catches the last time the user's ID shows in the log for the IP in the time period being searched:
192.168.1.1 sourcetype=proxy | dedup user | sort-_time | table _time, user,
IP
This gives me a result of:
_time user IP
1 18/03/2012 18:57:27.000 Alice 192.168.1.1
2 18/03/2012 12:47:41.000 Bob 192.168.1.1
So there's the last time they used the IP for the range searched. I then run a similar search that gives me the first time the user's ID shows:
192.168.1.1 sourcetype=proxy | dedup user sortby +_time | sort-_time |
table _time, user, IP
This gives me a result of:
_time user IP
1 18/03/2012 13:44:42.000 Alice 192.168.1.1
2 18/03/2012 07:44:40.000 Bob 192.168.1.1
So there's the first time that they used the IP. Looking at the two, I know that Alice first used the IP at 7:44 AM and last used it at 18:57 PM.
However, I have to run both searches and notate the results elsewhere in order to calculate that. Easy enough in this example, but when I have a few dozen people sharing dynamic IPs (think a VPN type of situation), it gets pretty hairy pretty fast.
So, what I want is a search that combines both of of the above and gives me an output like this:
_time user IP Start/Stop
1 18/03/2012 18:57:27.000 Alice 192.168.1.1 Stop
2 18/03/2012 13:44:42.000 Alice 192.168.1.1 Start
3 18/03/2012 12:47:41.000 Bob 192.168.1.1 Stop
4 18/03/2012 07:44:40.000 Bob 192.168.1.1 Start
Thoughts?
Thank you.
Peter
... View more
- Tags:
- dedup
- search-help
03-17-2012
10:17 AM
1 Karma
Just curious, can this search parameter be streamlined at all?
sourcetype=typeone OR sourcetype=typetwo OR sourcetype=typethree OR sourcetype=typefour
I'm just looking for something more elegant, so this isn't critical by any means. I was hoping for something like:
sourcetype=(typeone,typetwo,typethree,typefour)
but no love. Any thoughts?
Thank you.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
