Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to search events with a common value

andreac81
Explorer
‎06-20-2017 09:11 AM

Hi to all,

I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)

I set this search

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s

It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

View solution in original post

Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 01:27 PM

I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 01:48 AM

It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.

0 Karma
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-22-2017 01:51 AM

It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 05:13 AM

Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 02:09 AM

Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?

Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-21-2017 04:09 AM

Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-20-2017 09:24 AM

Give this a try

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...