- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate length of session
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have ssh events in the following log format:
sshd[31922]: pam_unix(sshd:session): session closed for user root
sshd[31922]: pam_unix(sshd:session): session opened for user root by (uid=0)
sshd[30954]: pam_unix(sshd:session): session closed for user root
sshd[30954]: pam_unix(sshd:session): session opened for user root by (uid=0)
...
How difficult would it be to generate a report each week that lists each session and its length?
It seems like I need to do something similar to this thread (http://splunk-base.splunk.com/answers/4886/eval-time-between-events-for-transaction-by-group), but I'm not sure exactly how I would apply this to my situation - how do I ensure that the proper session open and close events are correlated?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the question you linked to, that one covers how to calculate the time between sessions whereas in your case you need to calculate the time within the session. This should be pretty easy to achieve by creating a transaction based on the pid. Assuming you have the pid extracted into a field with the same name, just do
... | transaction pid startswith="session opened" endswith="session closed"
When the transaction command creates transactions, it always outputs a field for each transaction called "duration", which is exactly what it sounds like - the duration of the transaction, in seconds. So to get a table of all sessions and their lengths, do something like this (assuming you have the user extracted into a field called "user"):
... | transaction pid startswith="session opened" endswith="session closed" | table _time user duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the question you linked to, that one covers how to calculate the time between sessions whereas in your case you need to calculate the time within the session. This should be pretty easy to achieve by creating a transaction based on the pid. Assuming you have the pid extracted into a field with the same name, just do
... | transaction pid startswith="session opened" endswith="session closed"
When the transaction command creates transactions, it always outputs a field for each transaction called "duration", which is exactly what it sounds like - the duration of the transaction, in seconds. So to get a table of all sessions and their lengths, do something like this (assuming you have the user extracted into a field called "user"):
... | transaction pid startswith="session opened" endswith="session closed" | table _time user duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ayn, that's exactly what I needed!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
