https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371013#M109165 <P>hi richgalloway,</P> <P>Thanks for answering. from the solution you suggested i am missing below two:</P> <P>transactions of user/ip from login to logout<BR /> events that are generated are unknown they are active/inactive</P> <P>Thanks.</P> Wed, 10 May 2017 04:00:19 GMT hariram159 2017-05-10T04:00:19Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371011#M109163 <P>Hi Everyone,</P> <P>I am trying to capture active sessions with transaction command but unsuccessful, searched answers.splunk.com i didnt get a solution for me which is working...</P> <P>|transaction ipaddr host startwith="<EM>login.jsp</EM>" - gives me all transactions<BR /> |transaction ipaddr host startwith="<EM>login.jsp</EM>" endswith="<EM>logout.jsp</EM>" - gives me all completed transactions</P> <P>almost tried all solutions given in answers.splunk.com except eventtype, need to try with that...</P> <P>Any solutions with out having lookup tables ??</P> Wed, 10 May 2017 01:29:40 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371011#M109163 hariram159 2017-05-10T01:29:40Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371012#M109164 <P>Maybe <CODE>transaction</CODE> is not the tool for this job. This query will return the most recent of the logins and logouts for each ipaddr/host pair, which should find the 'logins' without a matching 'logout'.</P> <PRE><CODE>index=foo ("login.jsp" OR "logout.jsp") | dedup ipaddr host | ... </CODE></PRE> Wed, 10 May 2017 02:01:42 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371012#M109164 richgalloway 2017-05-10T02:01:42Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371013#M109165 <P>hi richgalloway,</P> <P>Thanks for answering. from the solution you suggested i am missing below two:</P> <P>transactions of user/ip from login to logout<BR /> events that are generated are unknown they are active/inactive</P> <P>Thanks.</P> Wed, 10 May 2017 04:00:19 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371013#M109165 hariram159 2017-05-10T04:00:19Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371014#M109166 <P>Any solutions please for a straight forward requirement.</P> Wed, 10 May 2017 10:21:50 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371014#M109166 hariram159 2017-05-10T10:21:50Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371015#M109167 <P>Active sessions are those ipaddr/host pairs that have a 'login'; inactive sessions will show a 'logout'.</P> <P>Your OP did not mention needing all transactions between login and logout.</P> Wed, 10 May 2017 11:54:16 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371015#M109167 richgalloway 2017-05-10T11:54:16Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371016#M109168 <P>yes i need events of active sessions as i mentioned i am trying to capture active sessions which means those events. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 10 May 2017 12:57:16 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371016#M109168 hariram159 2017-05-10T12:57:16Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371017#M109169 <P>Hi richgalloway,</P> <P>i have just seen again keeping your solution to get active login sessions, it gives me login.jsp transactions of which are completed, even we cant get count of active sessions also with this solution as per the output of the command.</P> <P>Thanks.</P> Thu, 11 May 2017 16:49:28 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371017#M109169 hariram159 2017-05-11T16:49:28Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371018#M109170 <P>Hi All,</P> <P>can any one give me the solution ?</P> Thu, 11 May 2017 16:50:45 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371018#M109170 hariram159 2017-05-11T16:50:45Z https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371019#M109171 <P>event type not working with transaction, not only transaction with any subsearch</P> Sat, 13 May 2017 06:02:58 GMT https://community.splunk.com/t5/Splunk-Search/Capture-Active-transactions/m-p/371019#M109171 hariram159 2017-05-13T06:02:58Z