topic Re: Find Transactions that overlap a certain timestamp in Getting Data In

Find Transactions that overlap a certain timestamp

Splunkster45 — Wed, 07 Jan 2015 14:29:54 GMT

I've been able to use the transaction command to group logins and logouts of users. What's the best way to find the transactions that occur overlap a certain timestamp? For example if I have a transaction that starts at 10 and ends at 11:00 I would want them to show up when searching 10:30.

I've been able to split the transaction up into two rows with data of the following form:
_time.........................................user....Login....Logout
12/29/14 10:00:00.000 AM..........A.........1............0......
12/29/14 11:00:00.000 AM..........A.........0............1......

and I think this form may be slightly easier to work with, but I can't think of how to grab all users that logged in before 10:30 and logged out after 10:30.

Thanks in advance!

Re: Find Transactions that overlap a certain timestamp

aweitzman — Wed, 07 Jan 2015 15:03:07 GMT

All of your transactions will have a _time field representing the first event in the transaction, as well as a duration field telling you the difference in seconds between the first event in the transaction and the last event. Based on this, you can pass in the time you want and see whether it fits within that information.

...transaction-generating-search...
| convert num(_time) as startetime
| eval endetime=startetime+duration
| eval mytime="2015-01-07 12:34:56"
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(mytime) as myetime
| where myetime>=startetime and myetime<=endetime

Hope this is helpful.

Re: Find Transactions that overlap a certain timestamp

Splunkster45 — Wed, 07 Jan 2015 16:05:05 GMT

Thanks! I ended up using | eval startetime=_time instead of | convert num(_time) as startetime but it worked for me!