Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to calculate Splunk User Session Time

MousumiChowdhur
Contributor
‎07-06-2017 04:58 AM

Hi,

I want to calculate the session time of a user in Splunk. Current scenario is that I have multiple users using same user credentials, so I can see number of logins and number of log-outs are different. Hence, I'm facing difficulty in calculating sessions and identifying session IDs.
Can anyone please help in these?

Thanks!

Reply

DalJeanis
Legend
‎07-06-2017 07:19 AM

My first advice is, stop that. It's just bad practice to let multiple users use the same ID, without a lockbox/checkout facility that identifies the actual user at any given time.

My second advice is that the splunk logon captures the IP of the user, so you can use the src=1.1.1.1 on the action="login attempt" event to differentiate them (at least to collect the same person's stuff together). Hopefully you have some other logs that will help you figure out who has any given IP at any given time.

Can you share your search language as to how you are capturing the logons and logoffs?

0 Karma
Reply

MousumiChowdhur
Contributor
‎07-07-2017 12:38 AM

Hi DalJeanis,

I am currently using the below query to find the user login and logout.

index=_audit sourcetype=audittrail user=* action=log* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by _time user action status | append [search index=_internal sourcetype=splunk_web_service user=* action=log* | stats count by _time user action status] | table _time user action status count | sort - _time

Thanks!
Mousumi Chowdhury

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...