Data analytics using Splunk for Horizon View logs

Recently I was working with Data analytics using Splunk and wrote few queries to get some analytics out of Horizon View connection and Security Server logs. Below are queries which I wrote to troubleshoot –

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB02.India. | timechart count(empid) as HitsFromInternet

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress * Node=LNDCB01.India. | timechart count(empid) as HitsFromIntranet

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | stats count(empid)

index=vm_cb "connected to machine" $field3$* $field2$ | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | table empid,machine,domain,status , Time | dedup empid

index=vm_cb "connected to machine" | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | timechart dc(empid) as UserCountToday

index=vm_cb host=LNDCB01 "disconnected from" UFTLAB* $field2$ | rex "^\d[^ \s]+\s\w+\s\s\W[^ \s]+\s\W[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W(?P<empid>\d+)\s(?P<status>\w+)\w+\s+\w+\s\w+\s(?P<machine>\w+)\w+\s\w+\s\w+\s\w+\W[^ \s]+\s-\s\w+\s\w+\s\w+\s(?P<sessiondate>\w+\s\d+\W\s\d+\s\d{1,2}:\d{1,2}:\d{1,2}\s\w+)\s\w+\W\s\w+\s\w+\s(?P<sessiontime>\d+)\s\w+\s\d+\s\w+" | table domain , empid , status , sessiondate , sessiontime | chart sum(sessiontime) as time_spend(in minutes) by empid

index=vm_cb source="C:\\ProgramData\\VMware\\VDM\\logs\\debug-*.*" clientipaddress $field2$ |table UserDisplayName ,ClientIpAddress,Severity,Acknowledged,Node ,Time

index=vm_cb "connected to machine" UFTLAB* | rex "^\d{1,4}-\d{1,2}-\d{1,2}T\d{1,2}:\d{1,2}:\d{1,2}.\w+[^ ]+\sINFO\s+\W+[^ \s]+\s[^ \s]+\s\W[^ \s]+\s\w+\s(?P<domain>\w+)\W+(?P<empid>\d+)\s(?P<status>\w+\s\w+\s\w+)\s(?P<machine>\w+)" | dedup empid | timechart count(empid)

Tags:

Featured Posts
Posts Are Coming Soon
Stay tuned...
Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

© 2019 VM-Xpress