Skip to main content

 

Splunk Lantern

Most commonly accessed business applications

You might need to know what business applications your users access the most were when doing the following:

Prerequisites 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

Example

Your workforce is fully remote. To ensure network security, you want to report on what applications users are accessing most over certain time periods each day.

To optimize the search shown below, you should specify a time range. 

  1. Run the following search:
| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE (index=main OR index=firewall) nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype
| where 'Authentication.app'!=sourcetype
| timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats prestats=t dc(Authentication.user) FROM datamodel=Authentication WHERE  (index=main OR index=firewall)  nodename=Authentication.Successful_Authentication BY Authentication.app sourcetype
 

Search the main and firewall indexes for authentication actions and group the results by application. Set prestats to true so the results can be sent to a chart.

| where 'Authentication.app'!=sourcetype Filter results to remove those where the application involved in the event is a sourcetype.
| timechart useother=false limit=10 span=1h dc(Authentication.user) AS unique_users BY Authentication.app

Create a chart that shows the 10 most accessed applications in your organization on an hourly basis, without bucketing the remaining into an "other" category. Calculate a user count for each.

If you want to see only single most accessed application, replace this line of the search with:
| stats dc(Authentication.user) AS unique_users BY Authentication.app
| sort 1 - unique_users

Result

This search highlights the most accessed applications on your network over the specified time frame. Correlate this information with the results of other searches to determine what is normal or anomalous activity on your network. 

  • Was this article helpful?