Hi,
For some reason, in a query that contains a transaction of some Juniper SSL VPN logs, my duration doesn't seem to be calculating properly. Instead, I'm getting all zero's for my results.
here's the relevant parts of my query:
... | transaction remoteip startswith="started" endswith="ended" | table vpnuser remoteip duration
and here's a snippet of a result:
Feb 15 22:23:51 10.31.248.17 Juniper: 2011-02-15 22:23:51 - nethost - [x.x.x.x] user(FOO-NC)[BarNC] - user/FOO-NC logged out from IP (y.y.y.y) because user started new session from IP (z.z.z.z).
Feb 15 22:24:25 10.31.248.17 Juniper: 2011-02-15 22:24:25 - nethost - [x.x.x.x] user(FOO-NC)[BarNC] - Network Connect: Session ended for user with IP a.a.a.a
I'm getting a properly constructed table, of course, but with the duration column filled with zero's. Even a spot check on the 'duration' field value reveals all zero's.
I basically want the difference in time between the first and last event, and I'm just not getting it.
Thanks in advance for any assistance!
-mt
Does your event-stream have the _time field available prior to invocation of the transaction command? It might be most convenient to check with
... | eval test_time=_time
where ... is your full search string up to the point of transaction. At this point you can use the field inspection tools on test_time.
One possibility is that all these events got timestamped with the current time, (DATE_CONFIG=current) and were loaded in as historical data.. or something along those lines. It seems a bit unlikely given the recent nature of these events, but not sure what's going on so far.