Splunk Search

Questions regarding the transaction command

dpatnam
Path Finder

Hello,

We have a set of log events consisting of user activity by a number of different users in an application. We are trying to construct a search that will returns only those usernames that have been active in the logs (that is log events with that username present) for more that 4 hours but did not take a break of at least 15 minutes (i.e. no activity in the logs for at least 15 minutes). I tried using the transaction command like the one shown below but it does not appear to be working. Any advise on how to accomplish this would be greatly appreciated.

sourcetype=app_sourcetype | transaction username maxspan>240m maxpause<15m

Thanks in advance.

Tags (1)
0 Karma

Johnvey
Contributor

Is the search you pasted correct? The arguments to transaction do not take inequalities -- it should be something like maxspan=240m and maxpause=15m, not with > or <.

dpatnam
Path Finder

I tried this search to get a list of all the users that were active in the logs for more than 4 hours (14400 seconds) during a day but I am not sure how I can then use this data to determine those users from this list that had maximum pauses in the logs for less than 15 minutes (did not take a break of 15 minutes or more)

sourcetype=app_sourcetype | stats range(_time) as difference by username | where difference > 14400

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...