i would like to report on the events submitted via the rest API by user. i have multiple users that submit data to splunk via the rest api. the request is recorded in _internal index as:
127.0.0.1 - user1 [16/May/2013:12:55:00.807 -0600] "POST /services/receivers/simple?source=fe_test&sourcetype=fe_xml&index=fe HTTP/1.1" 200 882 - - - 3ms
an example event may look like this:
<?xml version="1.0" encoding="utf-8"?><alerts appliance="gitest.fireeye.com" msg="normal" product="Web MPS" version="6.1.0.70271" xmlns="http://www.fireeye.com/alert/2011/AlertSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.fireeye.com/alert/2011/AlertSchema FireEyeAlert.xsd"><alert id="91" name="malware-object" severity="majr"><explanation analysis="content" protocol="tcp"><malware-detected><malware name="Trojan.Onlinegames" origid="2274" sid="2274" stype="duplicate-md5sum" type="exe"><downloaded-at>2012-07-23T08:30:39.062949</downloaded-at><md5sum>5352ffa20a29a2201074dcafccb0c9d2</md5sum><original>cao.exe</original><http-header>GET /cao/cao.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
Accept: */*
Host: google.netcdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 11539
Content-Type: application/octet-stream
i would like to find out the event corresponding to a submission and be able to present a table or be able to write an alert based on a combination of user and data in the submission.
i appreciate your insights.