I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.
Now when i use transaction command i got below results:
index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))
type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a
type2, misleading (required help on this)
2020-01-20T06:15:13.103+0000, EVENT_TYPE=Login
2020-01-20T06:16:55.685+0000, EVENT_TYPE=Login
2020-01-20T06:29:07.445+0000, EVENT_TYPE=Logout
2020-01-20T06:29:07.446+0000, EVENT_TYPE=Logout
2020-01-20T06:41:22.856+0000, EVENT_TYPE=Login
2020-01-20T06:44:07.457+0000, EVENT_TYPE=Logout
2020-01-20T06:48:24.815+0000, EVENT_TYPE=Logout
2020-01-20T06:59:07.383+0000, EVENT_TYPE=Logout
Also when i had done this
index=abc sourcetype="abc" | stats count by EVENT_TYPE (for 24 hours)
Login - 5099
Logout - 1799
PLEASE HELP
... View more