Splunk Search

Determine users on the same server within a time window

sgoyette
New Member

Hi,

I'm attempting to obtain a unique list of users who where on a server within a small time window (1 second). I'm not looking for the count but rather the user id of each user.

Logs look somewhat like this:

2012-02-25 21:58:58,950 -0700 level=INFO ServerName=app1.domain.com userid=1234566

I've tried various transaction approaches similar to this:

"ServerName=app1.domain.com" | dedup userid | transaction fields="_time" maxspan=1s 

This doesn't end up giving me what I'm looking for. I'm certainly no Splunk expert (rather just a beginner) and I'm sure this is possible...I just haven't been able to find a way to accomplish this.

Thanks,

Steve

Tags (1)
0 Karma

Ayn
Legend

Do you actually have log events exactly within that timeframe that shows which users are logged in? Most of the time there will be login events and logout events, and the time in between them would be when the users are "on" the server. It's certainly doable to solve that case, but a bit tricky as you would have to decide how long the acceptable total timeframe to search for login/logout events is, and then check which of the sessions spanned across the specific point in time you really were looking for.

Or are you looking just for users with very short sessions? One easy way to do that would be to create a transaction based on the userid and then search for transactions that didn't last for more than a second. In order to avoid getting multiple logins from the same user within the same transaction you should also define some span that's longer than the 1 second you're looking for but short enough so that you're not getting multiple sessions. Perhaps 1 minute? That would results in something like this:

ServerName=app1.domain.com" | transaction userid maxspan=1m | search duration<2

(The transaction command you specify in your question creates transaction based on "_time", which means it will join events that have the exact same timestamp. This is probably not what you want.)

0 Karma

kristian_kolb
Ultra Champion

Since Splunk does not keep states, you'll have to find events regarding user activity before, during and after the time you're interested in.

You should rather do the transaction on the userid;

your_search |"ServerName=app1.domain.com" | transaction userid 

If you set the time limits for the search to +/- 1 minute relative to the second you're interested in, Splunk will build set of events, one for each unique userid found during that two-minute span. Each of these newly constructed events will contain all the log messages for a particular userid. If your log (and application) is of the kind that contains logon/logoff messages, you could specify that as;

"ServerName=app1.domain.com" | transaction userid startswith=logon endswith=logoff

where 'logon' and 'logoff' would be strings in the log message denoting that type of event.

However, it might be hard to be certain that you really found all users, since a user might log on and stay silent for hours or days (depending on what kind of application you have).

UPDATE: After reading your question a bit more closely, I'm not sure that you need a transaction at all. If you just want to have a list of userid's for a given time period, it's even simpler;

"ServerName=app1.domain.com" | dedup userid | table userid

Hope this helps,

Kristian

EDIT: Some spelling, more info

0 Karma

Ayn
Legend

Doesn't Kristian's last suggestion address that?

0 Karma

sgoyette
New Member

I suspect I haven't been clear enough. Each entry in this log IS the user activity that I'm attempting to correlate. If I think of this in terms of an algorithm I would create a hash map that uses time as a key and points to a list of userid. For each line in the logs I would look in the hash to obtain the list (or create if it's not there) and then add the userid to the list. Lastly I would loop through the keys in the hash map and for each entry that has more than a single entry in the list I would output the results. Does that help?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...