Splunk Search

How to correlate correlate login and logout events using the map command or a more efficient method?

tenorway
Path Finder

Hi there!

I am trying to achieve the following:
Detect users that are unwillingly logged out of my web site. If the logout occurs two seconds or less after the login, I want this event to be returned.

I have tried the following command:

index=klpi OR index=klpiprod Automatic logout logged | rex("user-ID=\[(?<nin>[0-9]{11})\]") | eval starttime=strftime(_time-2,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=klpi OR index=klpiprod *login* CustomTai-2.0.4 LoginDetails nationalIdentificationNumber" nationalIdentificationNumber=$nin$ maxsearches=100

The search returns events that Contains custom-tai, but do not scope to only those with nationidentificationNumer=nin

Any ideas what I'm doing wrong? Is there a faster way to achieve this? The map command is slow and ultimately I want to get some statistics over time.

Thanks for any assistance!

Tor Erik

0 Karma

tenorway
Path Finder

I found out what was wrong with the search, a misplaced ".
Here is a working search, If anyone is interested:

index=klpiprod Automatic logout logged  
|rex("user-ID=\[(?<nin>[0-9]{11})\]") | dedup nin 
| eval starttime=strftime(_time-5,"%m/%d/%Y:%H:%M:%S") 
| eval endtime=strftime(_time,"%m/%d/%Y:%H:%M:%S")  
| map search="search index=klpiprod CustomTai-2.0.4 LoginDetails nationalIdentificationNumber=$nin$ earliest=$starttime$ latest=$endtime$"
0 Karma

tenorway
Path Finder

The search now works, and by raising maxsearches, I get all the results.
However, the search performs very badly (As expected..). Automatic logout occurs very often, hence the mapped search will run many times.

Is there any other way? Piping to search, using a sub search or maybe using the stats command?
I have tried a subsearch, but can't make changing time of the parent search work. And I guess sub search will be slow as well.

Thanks for any assistance?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Of course, the map command is slow. It tries to search in any given result from the first search with the following logic. Right now, I don't really understand why you want to use it here. I'd use transaction to group the results together. But I'd need to have similar data to test that command. Unfortunately, our data is completely different.

Did you try working with the where command?

index=klpi OR index=klpiprod Automatic logout logged
| rex("user-ID=\[(?<nin>[0-9]{11})\]") 
| eval starttime=strftime(_time-2,"%m/%d/%Y:%H:%M:%S")
| eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S")
| where nationalIdentificationNumber=$nin$
| map search="search index=klpi OR index=klpiprod *login* CustomTai-2.0.4 LoginDetails nationalIdentificationNumber"

Is that giving any different results?
Btw, you can format you search queries with shift+enter like I did in the code box above.

0 Karma

tenorway
Path Finder

Thanks for your response!

I'm using map because I want the time and the nin from the first search to be run in the second search with additional seatrch parameters and slightly changed time.
I extract the nin to use in the mapped search, where the field nationalIdentificationNumber is present.

First search: Detect logout. Extract nin and time
Mapped search: Check if there was a login for the same user within a few seconds earlier.

The where clause will not work, since the nationalIdentificationNumber field is not present in the events returnes by the first search

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...