Hi,
There are login messages and logout messages in the log files. I want to get those users who have not been logout. My search is:
host="trantest" | transaction user,sessionid startswith="loginmessage" endswith="logoutmessage" keepevicted=true
It should return all transactions containing
But I just get 2) and 3), and i can not get those transactions just have start event.
Any suggestions about transaction usage or any other way of getting users have not logout?
Thanks & Best regards.
Dianbo
Answer to question 2
This type of scenario certainly requires some sort of startswith/endswith logic because your field values seem to repeat too frequently. (There could be a timing related fix, e.g. using maxpause
or maxspan
, but you'll have to decide if that is possible with your data or not. See link at bottom of this post.)
I think I found a working solution by using just "startswith" without using "endswith" (the keepevicted=true
doesn't seem to matter in this test case.) I did some playing around with your provided sample data (I copied and pasted into a temp file and used splunk to load it with the file
command without indexing it 😉 splunk rocks!)
| file /tmp/examplefile.txt | sort -_time | rex "ip=(?<ip>\d+)" | rex "\s(?<router>\w+)\s\[" | transaction router,ip startswith="aaaaaaa" | eval my_closed_txn=if(searchmatch("bbbbbbb"),1,0)
The first 3 search commands are needed to attempt to match your environment; you can pretty much ignore them.
Side note:
BTW, Simply using
searchmatch
is not 100% accurate here. This is because we are not ensuring that it is the last event, we are only making sure that the text string "bbbbbbb" exists within the combined transaction event's text (the_raw
field). So this can be a problem if "bbbbbbb" occurs as the second event of 3, this approach will not catch that. You can work around this by usingmatch
instead ofsearchmatch
in combination with a multiline regex that explicitly will match thebbbbbbb
on the last line only. Of the top of my head (aka untested), you could probably use an expression like this:
| eval my_closed_txn=if(match(_raw, "(?ms)^.*[\r\n][^\r\n]+\bbbbbbbb\b(?:[\r\n]+|$)",1,0)
In case your not a regex guru, "
\b
" means boundary, which is even more confusing when you are already matching "b"s. 😉 So this approach would be more accurate, but often it's not worth the hassle. (I have used this approach when analyzing FTP transactions to see if the last session event was a "successful logout", so this kind of thing is needed from time to time.)
Make sure you note this Q&A: Does combining startswith and maxspan in a transaction work?
Hope this helps.
Hi Lowell,
There is a question to your dropping logic.
The log events are list below. And the transaction is defined as "startswith=aaaaaaa endswith=bbbbbbb", so the search statement should be
host="trantest" | rex "\s(?<router>\w+)\s\["
| transaction router,ip startswith="aaaaaaa" endswith="bbbbbbb" keepevicted=true
If moved "startswith"/"endswith" logic into a secondary search, the search statement is
host="trantest" | rex "\s(?<router>\w+)\s\["
| transaction router,ip | search "aaaaaaa" NOT "bbbbbbb"
then, then last event will be treated as a event in a completed transaction(router=aaa,ip=123).
In my instance, it should belong to a uncomplete transaction.
Any suggestion to this point?
Thanks & Best regards,
Dianbo
I've run into some similar issues which I've reported to splunk support and I know I've seen other post about transaction issues.
I would try working around the issue by dropping the "startswith"/"endswith" logic and moving that into a secondary search.
host="trantest" | transaction user,sessionid maxspan=7d | search loginmessage NOT logoutmessage
This should do what you want. You will probably want to put an better time limit on this (I picked 7 day as an arbitrary example).
You may also find it useful to add search criteria based on the eventcount
field, which is added by the transaction
command. Something like | search eventcount>=2
Transaction support has been greatly improved from 3.x to 4.x and I'm hoping to see even more improvements in the future. IMHO, your example search should work.
Thanks for your suggestion. I just have another question about this below. I want to know how did you deal with it. Thanks.