I am starting off with Splunk and trying to solve a problem. I have a data set with millions of log records. The use case is to identify events that are unusual for a specific role and highlight the event and the user. The below table gives a snapshot of the data. The task is to append the last two columns and for each role, identify the appended events that has happened relatively lower than other appended events in the same role.
user_name role event_name event_type
A1 Provider Open Session Patient
A1 Provider Open Session Patient
A1 Provider View Session Patient
B1 Provider Search Session Admin
B1 Provider Search Session Admin
B1 Provider Search Session Patient
B1 Provider Search Session Admin
B1 Provider Open Session Admin
C1 Physician Open Session Patient
C1 Physician Modify Session Patient
C1 Physician Modify Session Patient
C2 Physician Open Session Patient
C2 Physician Open Session Patient
C3 Physician Modify Session Admin
If I want to find unusual events for the role "Provider" the output should be
user_name role appended_event
A1 Provider View Session Patient
B1 Provider Search Session Patient
B1 Provider Open Session Admin
Similarly, if I want to find the unusual events for the role "Physician" the output should be
user_name role appended_event
C3 Physician Modify Session Admin
I am also looking for a way to visualize such a report. Any help on this would be great
You can start with this and then define your own thresholds:
| eventstats count as role_event_count by role appended_event
| eventstats count as role_count by role
| eval pct = role_event_count / role_count * 100