Hi all,
I'm currently working on a query to give some insights in SFTP transfers. I can show things like length and size of a SFTP session, but I'd also like to show the name of the application that the SFTP session belongs to. My current query is:
index=postnl earliest=@h source=postnl_ftp_files_hits
| rename session_id AS id
| join type=left id
[ search index=postnl earliest=@h source=postnl_ftp_sessions ]
| where isnotnull(ip_addr) AND size > 0
| eval time_duration=round(strptime(time_ended, "%F %T.%3N") - strptime(time_started, "%F %T.%3N"),1)
| sort 0 id
| stats values(ip_addr) AS "IP Address", values(time_started) AS "Start Time", values(time_ended) AS "End Time", values(time_duration) AS "Duration (seconds)", sum(size) AS Size, values(name) AS Name BY id
| eval Size=round(Size/1000,2)
| rename id AS ID, Size AS "Size (KB)"
That give me this table:
![alt text][2]
Based on the server names (that I marked with red in the screenshot) I would like to add a new column "Application", which contains the name of the application that started the SFTP session. As you can see when a SFTP transfers multiple files, the "Name" field contains an entry for every file, this is because I group the results by ID of a SFTP session, I don't know if this would cause problems for what I'm proposing. In the end result I don't really have a need for the "Name" field, I'd only like to see the application name (once for every session).
I have an Excel document which contains all the applications, and the corresponding servers they run on:
![alt text][1]
Basically what I want is something like:
**If name contains "swpnlxxx", than application name is "xxx".**
And then for every server/application I have in my list.
What would be the best way to implement such a functionality in my query?
[1]: /storage/temp/218976-knipsel.jpg
[2]: /storage/temp/218975-2017-12-08-14-04-splunktoolingkpnorg.png
↧