Security

Query to calculate Splunk User Session Time

MousumiChowdhur
Contributor

Hi,

I want to calculate the session time of a user in Splunk. Current scenario is that I have multiple users using same user credentials, so I can see number of logins and number of log-outs are different. Hence, I'm facing difficulty in calculating sessions and identifying session IDs.
Can anyone please help in these?

Thanks!

DalJeanis
SplunkTrust
SplunkTrust

My first advice is, stop that. It's just bad practice to let multiple users use the same ID, without a lockbox/checkout facility that identifies the actual user at any given time.

My second advice is that the splunk logon captures the IP of the user, so you can use the src=1.1.1.1 on the action="login attempt" event to differentiate them (at least to collect the same person's stuff together). Hopefully you have some other logs that will help you figure out who has any given IP at any given time.

Can you share your search language as to how you are capturing the logons and logoffs?

0 Karma

MousumiChowdhur
Contributor

Hi DalJeanis,

I am currently using the below query to find the user login and logout.

index=_audit sourcetype=audittrail user=* action=log* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by _time user action status | append [search index=_internal sourcetype=splunk_web_service user=* action=log* | stats count by _time user action status] | table _time user action status count | sort - _time

Thanks!
Mousumi Chowdhury

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...