Data analytics using Splunk for Horizon View logs

January 25, 2019

Recently I was working with Data analytics using Splunk and wrote few queries to get some analytics out of Horizon View connection and Security Server logs.  Below are queries which I wrote to troubleshoot –

 

 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB02.India. | timechart count(empid) as HitsFromInternet


 
 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB01.India. | timechart count(empid) as HitsFromIntranet


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | stats count(empid)


 

index=vm_cb "connected to machine" $field3$* $field2$ | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | table empid,machine,domain,status , Time | dedup empid


 
 

index=vm_cb "connected to machine" | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | timechart dc(empid) as UserCountToday


 

index=vm_cb host=LNDCB01 "disconnected from" UFTLAB* $field2$ | rex "^\d[^ \s]+\s\w+\s\s\W[^ \s]+\s\W[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W(?P<empid>\d+)\s(?P<status>\w+)\w+\s+\w+\s\w+\s(?P<machine>\w+)\w+\s\w+\s\w+\s\w+\W[^ \s]+\s-\s\w+\s\w+\s\w+\s(?P<sessiondate>\w+\s\d+\W\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\s\w+)\s\w+\W\s\w+\s\w+\s(?P<sessiontime>\d+)\s\w+\s\d+\s\w+" | table domain , empid , status , sessiondate , sessiontime | chart sum(sessiontime) as time_spend(in minutes) by empid


 


 

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress $field2$ |table UserDisplayName ,ClientIpAddress,Severity,Acknowledged,Node ,Time


 

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | timechart count(empid)

 

Tags:

Share on Facebook
Share on Twitter
Please reload

Featured Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Recent Posts
Please reload

Archive