The user was struggling to join session data with their search results to include the client_name as an additional column. It was determined that the process_base source should use the session_object_guid to join the session_base to find the client_name. A joining process was outlined that would filter the subset of session to less than 50k. The user asked for an example of this process and was provided with one. The final result should include date, time, username, client_name, computer_name, and process_name.
Read the entire ‘Joining Session Data with Client_Name Using session_object_guid’ thread below:
Hi there!
I´m struggling with a splunk app usage search, where i want to add the client_name as additional colum. Can someone give me a hint for joining the session data to it ?
“`| tstats last(user_account) as User_Name
last(computer_name) as computer_name
last(process_name) as process_name
WHERE `process_base`
process_name="APPLICATIONNAME"
folder_id=*
by process_object_guid
| rex field=User_Name "^.\\\(?<user>.)"“`
Hi – I don’t see have the client_name data in the process data (process_base) you’re focusing the search in.
I assume you can use Splunk join command if find some other connection like the client_name on session_base. You’ll need something common though to base the join on.
Can you illustrate what the final result is expected to be?
The final result should contain the following colums:
date,time,username, client_name, computer_name, process_name
for each process?
yes, so i can filter it afterwards
process_base should have a field called session_object_guid which is what you will need to join to get the session information… I will say you should be careful… try to make sure the subset (sessions) is less thank 50k
Did you have an example for me ? Didn’t got the join working for me 🙂
I dont have access right now but I will try to put something together tomorrow
Try this
“`| tstats last(user_account) as User_Name
last(computer_name) as computer_name
last(process_name) as process_name
WHERE `process_base`
process_name="chrome"
folder_id=*
by process_object_guid, session_object_guid
| rex field=User_Name "^.\(?.)"
| join type=left session_object_guid [
| tstats values(client_name) as client_name where `session_base` by session_object_guid
]“`Thanks! I was very close, now i understood the joins 🙂
Just FYI… it may make more sense to do that in reverse… i.e. instead of getting all the processes and finding the sessions for those processes it may make more sense to get all the sessions and find the processes for that session… I suppose it all depends on your starting point (in this case its a specific process name)
Continue reading and comment on the thread ‘Joining session data with client_name using session_object_guid with Splunk app usage search’. Not a member? Join Here!
Categories: All Archives, ControlUp Scripts & Triggers