Dashboards & Visualizations

How to display a timefrime from two events ?

nicxso
Engager

Hey guys,

I have a question. I have this search:

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/") OR (http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")

| table host, vhost, audit_token, src_ip, session_id, time_request_total

This gives me two events. In the picture, down below, the first event contains the part "http_request_url="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.

alt text

I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.

Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.

Thanks for your help

0 Karma
1 Solution

niketn
Legend

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nicxso
Engager

@niketnilay

Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?

Thanks

0 Karma

nicxso
Engager

@niketnilay Would it also be possible to use the timechart command ?

0 Karma

niketn
Legend

@nicxso if you want to display the duration for events you can use Timeline Custom Visualization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...