Splunk Search

Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

phillipmadm
Explorer

We are logging information from a network security device that has multiple fields of interest. LOGIN, LOGOUT, START, and DISCONNECT messages all have unique time stamps and messages associated with a user (but a unique id with each session). How can I have a single report for a user with the timestamp for LOGIN, LOGOUT per each session?

0 Karma
1 Solution

niketn
Legend

@phillipmadm, looking at your sample events LOGOUT event in itself is complete as it also has the login details for example

  • Correlation Keys like - SessionId, User, Client_ip
  • And correlating fields like - Start_time, End_time, Duration

Also like you have mentioned so many other interesting fields are also present like LogoutMethod.

You can add LOGOUT to your base search to get only the logout event and then with override _time with Start_time and plot duration on the timechart. You can also consider using Timeline custom visualization to plot duration as Gantt Chart

<Your Base Search> LOGOUT
| eval Start_time=strptime(Start_time,"%m/%d/%Y:%H:%M:%S")
| eval _time=Start_time
| timechart max(Duration) as MaxDuration by User

You can try various by clauses apart from User like Client_ip, SessionId and even composite key like

 eval Key=User." (SessionID:".SessionId.")"

PS: I have performed _time override with Start_time from your log since LOGOUT event has Logout time in the _time event by default.

Finally, if you want to display all Login/Logout you can use values(Duration) and preferably stats instead of timechart. Please try this and let us know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@phillipmadm, looking at your sample events LOGOUT event in itself is complete as it also has the login details for example

  • Correlation Keys like - SessionId, User, Client_ip
  • And correlating fields like - Start_time, End_time, Duration

Also like you have mentioned so many other interesting fields are also present like LogoutMethod.

You can add LOGOUT to your base search to get only the logout event and then with override _time with Start_time and plot duration on the timechart. You can also consider using Timeline custom visualization to plot duration as Gantt Chart

<Your Base Search> LOGOUT
| eval Start_time=strptime(Start_time,"%m/%d/%Y:%H:%M:%S")
| eval _time=Start_time
| timechart max(Duration) as MaxDuration by User

You can try various by clauses apart from User like Client_ip, SessionId and even composite key like

 eval Key=User." (SessionID:".SessionId.")"

PS: I have performed _time override with Start_time from your log since LOGOUT event has Logout time in the _time event by default.

Finally, if you want to display all Login/Logout you can use values(Duration) and preferably stats instead of timechart. Please try this and let us know how it goes.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

phillipmadm
Explorer

Good to go 🙂

0 Karma

niketn
Legend

Do you have unique id per message or per session or do not have unique id for correlation at all? What kind of user information do you have? Can you add some sample mocked up data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

phillipmadm
Explorer

Examples are below but the goal is to be able to report (per user) login time, logout time, session duration over multiple days. 🙂
LOGIN, LOGOUT, User, SessionId, Duration....are all extracted fields
Thank you

Example of a login event
Mar 10 18:35:35 03/10/2017: 18:34:57 ns 0-PPE-0 : SSLVPN LOGIN 17573462 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.1439" - SSLVPN_client_type - Group(s) "N/A"

Example of a logout event
Mar 10 18:50:30 03/10/2017: 18:49:52 ns 0-PPE-0 : SSLVPN LOGOUT 17576185 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Start_time "03/10/2017:18:34:57 " - End_time "03/10/2017:18:49:52 " - Duration 00:14:55 - Http_resources_accessed 23 - NonHttp_services_accessed 0 - Total_TCP_connections 74 - Total_UDP_flows 0 - Total_policies_allowed 74 - Total_policies_denied 0 - Total_bytes_send 2170 - Total_bytes_recv 417916 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 159514 - Compression_ratio_send 0.00% - Compression_ratio_recv 61.83% - LogoutMethod "Explicit" - Group(s) "N/A"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...