topic how to search events with a common value in Splunk Search

how to search events with a common value

andreac81 — Tue, 20 Jun 2017 16:11:07 GMT

Hi to all,

I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)

I set this search

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s

It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks

Re: how to search events with a common value

somesoni2 — Tue, 20 Jun 2017 16:24:24 GMT

Give this a try

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f

Re: how to search events with a common value

jplumsdaine22 — Tue, 20 Jun 2017 16:26:05 GMT

If all events cntain the cookie field you can use stats. Something like this might work:

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

Re: how to search events with a common value

andreac81 — Wed, 21 Jun 2017 09:09:54 GMT

Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?

Thanks,
Andrea

Re: how to search events with a common value

jplumsdaine22 — Wed, 21 Jun 2017 11:09:44 GMT

Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)

Re: how to search events with a common value

andreac81 — Tue, 29 Sep 2020 14:33:26 GMT

I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea

Re: how to search events with a common value

jplumsdaine22 — Thu, 22 Jun 2017 08:48:57 GMT

It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.

Re: how to search events with a common value

andreac81 — Thu, 22 Jun 2017 08:51:50 GMT

It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"

Re: how to search events with a common value

jplumsdaine22 — Thu, 22 Jun 2017 12:13:22 GMT

Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?