Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Data analytics with Spunk for Horizon View Data

July 25, 2018

Some times i was working with Data analytics using Splunk and wrote few queries to get some antlytics out of horizon view connection and security server logs .  Below are queries

 

 

 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB02.India. | timechart count(empid) as HitsFromInternet


 


 


 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB01.India. | timechart count(empid) as HitsFromIntranet


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | stats count(empid)


 

index=vm_cb "connected to machine" $field3$* $field2$ | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | table empid,machine,domain,status , Time | dedup empid


 


 


 

index=vm_cb "connected to machine" | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | timechart dc(empid) as UserCountToday


 

index=vm_cb host=LNDCB01 "disconnected from" UFTLAB* $field2$ | rex "^\d[^ \s]+\s\w+\s\s\W[^ \s]+\s\W[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W(?P<empid>\d+)\s(?P<status>\w+)\w+\s+\w+\s\w+\s(?P<machine>\w+)\w+\s\w+\s\w+\s\w+\W[^ \s]+\s-\s\w+\s\w+\s\w+\s(?P<sessiondate>\w+\s\d+\W\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\s\w+)\s\w+\W\s\w+\s\w+\s(?P<sessiontime>\d+)\s\w+\s\d+\s\w+" | table domain , empid , status , sessiondate , sessiontime | chart sum(sessiontime) as time_spend(in minutes) by empid


 


 


 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress $field2$ |table UserDisplayName ,ClientIpAddress,Severity,Acknowledged,Node ,Time


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | timechart count(empid)

 

Share on Facebook
Share on Twitter
Please reload

Follow Us
Please reload

Search By Tags
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

Tel: +91-8879374285

 Bangalore INDIA 560076

© 2017-18 Xtra-V!rtual