1

我从 Splunk 开始并尝试解决问题。我有一个包含数百万条日志记录的数据集。用例是识别特定角色不寻常的事件并突出显示事件和用户。下表给出了数据的快照。任务是附加最后两列,并为每个角色确定发生的附加事件相对低于同一角色中的其他附加事件。

 user_name  role         event_name     event_type
    A1     Provider     Open Session    Patient
    A1     Provider     Open Session    Patient
    A1     Provider     View Session    Patient
    B1     Provider     Search Session  Admin
    B1     Provider     Search Session  Admin
    B1     Provider     Search Session  Patient
    B1     Provider     Search Session  Admin
    B1     Provider     Open Session    Admin
    C1     Physician    Open Session    Patient
    C1     Physician    Modify Session  Patient
    C1     Physician    Modify Session  Patient
    C2     Physician    Open Session    Patient
    C2     Physician    Open Session    Patient
    C3     Physician    Modify Session  Admin

如果我想为角色“提供者”找到异常事件,输出应该是

    user_name    role        appended_event     
        A1     Provider     View Session Patient    
        B1     Provider     Search Session Patient
        B1     Provider     Open Session Admin

同样,如果我想找到角色“医师”的异常事件,输出应该是

    user_name    role        appended_event     
        C3     Physician        Modify Session Admin

我也在寻找一种方法来可视化这样的报告。对此的任何帮助都会很棒

4

1 回答 1

2

您可以从这里开始,然后定义自己的阈值:

| eventstats count as role_event_count by role appended_event
| eventstats count as role_count by role 
| eval pct = role_event_count / role_count * 100
于 2018-02-09T21:56:52.457 回答