Data analytics using Splunk for Horizon View logs

January 25, 2019

Recently I was working with Data analytics using Splunk and wrote few queries to get some analytics out of Horizon View connection and Security Server logs.  Below are queries which I wrote to troubleshoot –

 

 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB02.India. | timechart count(empid) as HitsFromInternet


 
 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB01.India. | timechart count(empid) as HitsFromIntranet


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | stats count(empid)


 

index=vm_cb "connected to machine" $field3$* $field2$ | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | table empid,machine,domain,status , Time | dedup empid


 
 

index=vm_cb "connected to machine" | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | timechart dc(empid) as UserCountToday


 

index=vm_cb host=LNDCB01 "disconnected from" UFTLAB* $field2$ | rex "^\d[^ \s]+\s\w+\s\s\W[^ \s]+\s\W[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W(?P<empid>\d+)\s(?P<status>\w+)\w+\s+\w+\s\w+\s(?P<machine>\w+)\w+\s\w+\s\w+\s\w+\W[^ \s]+\s-\s\w+\s\w+\s\w+\s(?P<sessiondate>\w+\s\d+\W\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\s\w+)\s\w+\W\s\w+\s\w+\s(?P<sessiontime>\d+)\s\w+\s\d+\s\w+" | table domain , empid , status , sessiondate , sessiontime | chart sum(sessiontime) as time_spend(in minutes) by empid


 


 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress $field2$ |table UserDisplayName ,ClientIpAddress,Severity,Acknowledged,Node ,Time


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | timechart count(empid)

 

Tags:

Share on Facebook
Share on Twitter
Please reload

Featured Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Recent Posts
Please reload

Archive
Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

© 2019 VM-Xpress