A key value of running AeroFS on your own infrastructure is the ability to get insights on how your organization collaborates and shares data. A little over a year ago, we launched the AeroFS Auditing Service, which allows IT administrators to audit all usage within AeroFS in real-time. The Auditing Service provides a well-structured JSON feed and integrates with Splunk, a downstream event capture and analysis system, out of the box. However, unless you’re a Splunk expert, it’s not immediately obvious how you can transform the audit data into useful metrics that will help answer questions like:

  • How many employees are actually using the software?
  • Which employees share the most content?
  • What features are employees utilizing the most?
  • And so on.

Today we are releasing some example splunk queries to make integration with Splunk even easier. You can run these queries yourself to get a quick snapshot of how AeroFS is being used in your organization today!

Below are some examples of the queries and the corresponding reports you can generate in Splunk. The latest versions of the queries are available on our GitHub.

Search for number of links created by user and link type

sourcetype="_json" link.* | 
    spath | 
    rename caller as user_id | 
        count(eval(event=="link.create")) AS "Regular Links", 
        count(eval(event=="link.set_password")) AS "Password Links", 
        count(eval(event=="link.set_expiry")) AS "Set Expiry Links", 
    BY user_id



Search for number of file creations, modifications, deletions by user

sourcetype="_json" file.notification | 
    spath | 
    rename verified_submitter.user_id as user_id | 
    eval user_id=if(user_id==":2","Team Server",user_id) | 
    eval ops=mvjoin('operations{}', " ") | 
        count(eval(ops=="CREATE MODIFY" OR 
            ops=="CREATE")) as num_files_created, 
        count(eval(ops=="MODIFY")) as num_file_modifications, 
        count(eval(ops=="DELETE")) as num_files_deleted 
    BY user_id



Search for number of shared folder invitations sent by user

sourcetype="_json" folder.invite | 
    spath | 
    rename caller.email as user_id | 
        count(eval(event=="folder.invite")) as num_folder_invitations_sent 
    BY user_id


This is just the tip of the iceberg with respect to what you can do with our audit interface. Check out our developers page for a comprehesive overview of all AeroFS events logged by the Auditing Service. You can use it as a reference point to build your own Splunk queries. We welcome contributions to our public Splunk example repository.

Questions? Comments?
Shoot us an email at support@aerofs.com.

— Suthan & The AeroFS Team.