topic Re: Using transaction to detect timeouts in Getting Data In

Using transaction to detect timeouts

jbrenner — Thu, 31 Aug 2017 17:35:00 GMT

I would like to use the transaction command to find adjacent log entries with the same IP and different Session IDs.
Ideally, I would only like to return adjacent pairs of log statements with at least a 15 minute timestamp difference between them.

Here is the REX I'm using to extract SESSION_ID:

rex field=_raw "-S:(?<SESSION_ID>\w+)-"

Thanks!
Jonathan

Re: Using transaction to detect timeouts

cmerriman — Thu, 31 Aug 2017 19:12:58 GMT

some examples of your data would be helpful. transaction will only allow you to put in arguments for max pause, though you could search for durations after the fact.

|transaction IP SESSION_ID maxevents=2|search duration>=900

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Transaction

i prefer streamstats, myself.

|sort 0 IP SESSION_ID + _time
| streamstats window=1 current=f values(_time) as previousTime by IP SESSION_ID|eval duration=_time-previousTime|search duration>=900

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Streamstats

just for ideas.

Re: Using transaction to detect timeouts

woodcock — Sun, 03 Sep 2017 00:28:13 GMT

Try this:

Your Base Search Here
|  rex field=_raw "-S:(?<SESSION_ID>\w+)-"
| streamstats time_window=900 min(_time) AS start range(_time) AS duration values(SESSION_ID) dc(SESSION_ID) AS numSessions BY host
| search numSessions>1