Hi,
I tested your command and it groups nicely (when used partially), but it only list first login and last logout, when users have multiple of logins also it complained about login_time. Anyway thank you for the transaction command example it will sure help me in the future. However I found a vizualization solution that is statisfactory for now:
index=_* OR index=* sourcetype=data1 login_status="login" OR login_status="login" | table _time username login_status
index=_* OR index=* sourcetype=data1 action="read" OR laction="write" | table _time username action
They are two separate, but they work well enough (while it would be nice to combine them).
However what I would really need now is a way to show action related to users that happends after logout but before their possible next login and alert it as an anomality. e.g.
2016/10/12 09:13:18, john, login
2016/10/12 09:14:10, john, read_data
2016/10/12 09:15:20, john, write_data
2016/10/12 09:16:11, john, logout
2016/10/12 09:17:13, john, read_data <- ANOMALITY
2016/10/12 09:17:25, john, write_data <- ANOMALITY
2016/10/12 09:19:18, john, login
2016/10/12 09:19:20, john, write_data
2016/10/12 09:20:11, john, logout
Any ideas how to report/alert those animalities that happends after logout but before (possible) login would be great. No visualisation needed, only report/alert.
... View more