topic Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? in Splunk Search

Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

phillipmadm — Mon, 13 Mar 2017 16:55:36 GMT

We are logging information from a network security device that has multiple fields of interest. LOGIN, LOGOUT, START, and DISCONNECT messages all have unique time stamps and messages associated with a user (but a unique id with each session). How can I have a single report for a user with the timestamp for LOGIN, LOGOUT per each session?

Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

niketn — Mon, 13 Mar 2017 17:45:55 GMT

Do you have unique id per message or per session or do not have unique id for correlation at all? What kind of user information do you have? Can you add some sample mocked up data?

Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

phillipmadm — Tue, 29 Sep 2020 13:14:25 GMT

Examples are below but the goal is to be able to report (per user) login time, logout time, session duration over multiple days. 🙂
LOGIN, LOGOUT, User, SessionId, Duration....are all extracted fields
Thank you

Example of a login event
Mar 10 18:35:35 03/10/2017: 18:34:57 ns 0-PPE-0 : SSLVPN LOGIN 17573462 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.1439" - SSLVPN_client_type - Group(s) "N/A"

Example of a logout event
Mar 10 18:50:30 03/10/2017: 18:49:52 ns 0-PPE-0 : SSLVPN LOGOUT 17576185 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Start_time "03/10/2017:18:34:57 " - End_time "03/10/2017:18:49:52 " - Duration 00:14:55 - Http_resources_accessed 23 - NonHttp_services_accessed 0 - Total_TCP_connections 74 - Total_UDP_flows 0 - Total_policies_allowed 74 - Total_policies_denied 0 - Total_bytes_send 2170 - Total_bytes_recv 417916 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 159514 - Compression_ratio_send 0.00% - Compression_ratio_recv 61.83% - LogoutMethod "Explicit" - Group(s) "N/A"

Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

niketn — Tue, 29 Sep 2020 13:14:52 GMT

@phillipmadm, looking at your sample events LOGOUT event in itself is complete as it also has the login details for example

Correlation Keys like - SessionId, User, Client_ip
And correlating fields like - Start_time, End_time, Duration

Also like you have mentioned so many other interesting fields are also present like LogoutMethod.

You can add LOGOUT to your base search to get only the logout event and then with override _time with Start_time and plot duration on the timechart. You can also consider using Timeline custom visualization to plot duration as Gantt Chart

<Your Base Search> LOGOUT
| eval Start_time=strptime(Start_time,"%m/%d/%Y:%H:%M:%S")
| eval _time=Start_time
| timechart max(Duration) as MaxDuration by User

You can try various by clauses apart from User like Client_ip, SessionId and even composite key like

 eval Key=User." (SessionID:".SessionId.")"

PS: I have performed _time override with Start_time from your log since LOGOUT event has Logout time in the _time event by default.

Finally, if you want to display all Login/Logout you can use values(Duration) and preferably stats instead of timechart. Please try this and let us know how it goes.

Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session?

phillipmadm — Thu, 15 Jun 2017 18:05:58 GMT

Good to go 🙂