Bump to working URL: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy ... View more

Working link at https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Deploysecurepasswordsacrossmultipleservers now ... View more

The link didn't get me to an answer, but this one did: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Resolveorphanedsearches   Specifically this section https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Resolveorphanedsearches#Reassign_unshared.2C_orphaned_knowledge_objects ... View more

Spot on! Thanks, the "sort" is the part I was missing to put the transactions next to each other. Just for transparency, those prefix lines are standard rfc5424 syslog fields, so a Splunk addon I have is already extracting them for me so I have _time, host, appname, procid already extracted. The final search to do the trick looks like this (minimizing the changes to demonstrate what was important here based on your input). appname=sftp-server | rex field=_raw "session (opened|closed) for local user (?<sftp_user>[^ ]+) from" | rex field=_raw "close \".*\" bytes read (?<sftp_bytes_read>\d+)" | sort 0 host appname procid _time | filldown sftp_user | timechart sum(sftp_bytes_read) by sftp_user   ... View more

Ah, thanks. It looks like filldown will do the trick most of the time. But if I am right in my understanding, as soon as I get another connection in the middle of a transaction, I'd get the wrong user in the latter events? E.g., in a situation like the below, I have a long running session for userA, and if I get a connection for userB, all the latter downloads by userA will be assigned to userB. I was trying to use a transaction to group the transaction based on the hostname and PID (procid) but then ended up asking how to get the individual lines out of it.   <38>1 2021-09-16T09:36:51.384489+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] session opened for local user userA from [#.#.#.#] <38>1 2021-09-16T09:36:51.385571+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] received client version 4 <38>1 2021-09-16T09:36:51.386537+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] realpath "." <38>1 2021-09-16T09:36:51.387378+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] stat name "....." <38>1 2021-09-16T09:36:51.389034+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] opendir "....." <38>1 2021-09-16T09:37:01.384311+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:01.385507+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 0 written 0 <38>1 2021-09-16T09:37:01.386448+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:01.387447+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1220821 written 0 <38>1 2021-09-16T09:37:01.388243+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:11.384320+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1220274 written 0 <38>1 2021-09-16T09:37:11.385360+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:11.386432+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1218135 written 0 <38>1 2021-09-16T09:37:11.387112+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:11.387754+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1216635 written 0 <38>1 2021-09-16T09:37:13.519659+09:00 hostname sftp-server 11797 - [origin ip="#.#.#.#"] session opened for local user userB from [#.#.#.#] <38>1 2021-09-16T09:37:13.667708+09:00 hostname sftp-server 11797 - [origin ip="#.#.#.#"] received client version 3 <38>1 2021-09-16T09:37:13.829500+09:00 hostname sftp-server 11797 - [origin ip="#.#.#.#"] realpath "." <38>1 2021-09-16T09:37:13.991276+09:00 hostname sftp-server 11797 - [origin ip="#.#.#.#"] session closed for local user userB from [#.#.#.#] <38>1 2021-09-16T09:37:21.383055+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:21.384737+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1219862 written 0 <38>1 2021-09-16T09:37:21.385609+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:21.385642+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1218359 written 0 <38>1 2021-09-16T09:37:41.384710+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] open "....." flags READ mode 0666 <38>1 2021-09-16T09:37:41.385632+09:00 hostname sftp-server 20715 - [origin ip="#.#.#.#"] close "....." bytes read 1220359 written 0     ... View more