I'm currently building a query that reports the top 10 urls of the top 10 users. Although my current query works, I would like a cleaner look. Query:     index="zscaler" sourcetype="zscalernss-web" appclass!=Enterprise user!=unknown | stats count by user, url | sort 0 user -count | streamstats count as standings by user | where standings < 11 | eventstats sum(count) as total by category | sort 0 -total user -count     The results look like this     user. url. count rank john.doe@example.com. example.com. 100. 1 john.doe@example.com. facebook.com. 99. 2 john.doe@example.com. twitter.com. 98. 3 john.doe@example.com. google.com. 97. 4 john.doe@example.com. splunk.com. 96. 5 jane.doe@example.com. example.com. 100. 1 jane.doe@example.com. facebook.com. 99. 2 jane.doe@example.com. twitter.com. 98. 3 jane.doe@example.com. google.com. 97. 4 jane.doe@example.com. splunk.com. 96. 5 and so forth I would like for i to look like this user. url. count john.doe@example.com. example.com. 100. facebook.com. 99. twitter.com. 98. google.com. 97. splunk.com. 96. user. url. count jane.doe@example.com. example.com. 100. facebook.com. 99. twitter.com. 98. google.com. 97. splunk.com. 96. and so forth         ... View more

I've recently onboarded data from Gsuite to Splunk. I'm currently trying to create a few queries, but I'm having problem creating queries do to the JSON format.  I'm currently just trying to create a table with owner name, file name, time, etc. I've tried using the spath command and json formatting, but I can't seem to get the data in a table. Here's an example query        index="gsuite" sourcetype="gws:reports:drive" | spath events{}.parameters{}.value.doc_title       but the field isn't created.  Here's the data in the events{}.parameters{}.value field   Here's a sample of the data.       { "actor": { "profileId": "Sample Text" }, "etag": "\"Sample Text\"", "events": [{ "name": "sheets_import_range", "parameters": [{ "boolValue": true, "name": "primary_event" }, { "name": "billable" }, { "name": "recipient_doc", "value": "123456789" }, { "name": "doc_id", "value": "123456789" }, { "name": "doc_type", "value": "spreadsheet" }, { "name": "is_encrypted" }, { "name": "doc_title", "value": "sampletext.xls" }, { "name": "visibility", "value": "shared_externally" }, { "name": "actor_is_collaborator_account" }, { "name": "owner", "value": "johndoe@gmail.com" }, { "name": "owner_is_shared_drive" }, { "name": "owner_is_team_drive" }], "type": "access" }], "id": { "applicationName": "drive", "customerId": "123456789", "time": "2022-05-06T20:55:00.285Z", "uniqueQualifier": "-123456789" }, "kind": "admin#reports#activity" }       I would like the data to look like this      owner doc_title doc_type visibility johndoe@gmail.com. sampletext.xls spreadsheet shared_externally       ... View more

I'm currently building a query that will pull data from today to April 26th,  the field value contains the following time format      termination_initiated (field value name) 2022-05-02T11:47:01.011-07:00 2022-05-02T11:42:10.820-07:00      I'm currently trying to convert is so that i can only get results between today and April 26th. I've tried this piece of code with no luck     | eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ") | where termination_started>=relative_time(now(),"-6d@d")     ... View more

I'm currently developing a splunk query that will query 2 indexes to correlate data by leveraging a users email, but  I'm not receiving any luck       index="A" Example="A" | dedup email | rename email AS actor | join actor [search index="B" | table _time, actor, fileName, shared, url ]     I also tried this query as well   (index="A" Example="A" OR index="B") | fields email | where email = actor | table _time, work_email, fileName, shared, url   ... View more