My Splunk server is being forwarded events from a remote Windows machine. Those events correspond to device connections and disconnections. Each event corresponds to either a connection or disconnection.
I have a CSV file containing information about those devices. The CSV file's headers looks like this:
DriverName,DeviceManufacturer,DriverVersion,DeviceModel,DeviceCategory
Only DeviceManufacturer and DeviceModel information are available in the forwarded events. The others are not.
This is what I need to do:
** 1.** Display on a timechart the connected devices for every hour during the last day.
2. Filter the displayed data by one or more of the fields of the CSV file that are listed above.
3. Provide the options to group the displayed data by one of the same fields of the CSV file that are listed above.
Example:
List the connected devices every hour during the last day filtered by DeviceManufacturer=X and DeviceModel=Y, grouped by DeviceCategory (See example).
For now I managed to do points 1 and 2, but I cannot combine them with point 3. (I can display the timechart and filter by fields but cannot combine them with the grouping).
I did this using the following search:
eventtype=DRIVER_STATUS_CHANGED | rex "Message=(?.+?) status changed from (?.+?) to (?.+?)\."
| eval counter=case(to_status="Connected", 1, from_status="Connected", -1, 1==1, 0)
| timechart span=1m sum(counter) as counter
| streamstats sum(counter) as counter | eventstats min(counter) as min
| eval counter=if(min < 0, counter + (min*-1), counter) | fields - min
... View more