- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to search events with a common value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi to all,
I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)
I set this search
tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s
It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all events cntain the cookie field you can use stats. Something like this might work:
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all events cntain the cookie field you can use stats. Something like this might work:
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?
Thanks,
Andrea
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
