topic Re: Has Splunk got a good memory ? in Splunk Search

Has Splunk got a good memory ?

Mahieu — Tue, 23 Aug 2011 10:05:36 GMT

Hi,

I'm trying to identify the difference between two events, for instance :
Event 1 : user=jdoe message="session timed out"
Event 2 : user=jdoe message="logged in"

Problem is : i have to keep the user parameter saved somehow.

Two options would work for me, either finding out what's the time difference between these events or knowing if event 2 happens less than x minutes after event 1.

I've tried using delta and transaction but it's not working correctly ...

Thanks in advance for your help.

Re: Has Splunk got a good memory ?

Ayn — Tue, 23 Aug 2011 10:11:07 GMT

I think you'll need to state your problem more clearly. In what way do you need to 'save' the user parameter? How are you planning to use this search? Should it be user-independent and used in a search form somehow where Splunk users can specify the value for this field?

Re: Has Splunk got a good memory ?

Mahieu — Tue, 23 Aug 2011 11:55:32 GMT

Sorry for the unclear explanation. In the end, the goal is to know whether or not my users log back in (event : jdoe logged in) when their session time out (event : jdoe's session timed out). The idea is to identify the users who do not log out when they leave my application and that's not good because they leave idle sessions.

Re: Has Splunk got a good memory ?

fk319 — Tue, 23 Aug 2011 13:04:48 GMT

I think transaction is the correct direction.

What I would suggest that you look for is a transaction that has a message [list] that has more than one "log in" and a "time out".

Re: Has Splunk got a good memory ?

chris — Tue, 23 Aug 2011 13:59:59 GMT

I also think that the transaction command could help you, I haven't tried the search below but the idea is to get all users that log back in into a transaction and then just search for the unclosed transactions. You should then be left with logins and session timeouts that are not related.

message="logged in" OR message="session timed out" | transaction user  maxspan=<x min> maxpause=<x min>  startswith="session timed out" endswith="logged in" keepevicted=true | search closed_txn=0

You probably just want the users in the session timed out messages.

message="logged in" OR message="session timed out" | transaction user  maxspan=<x min> maxpause=<x min>  startswith="session timed out" endswith="logged in" keepevicted=true | search closed_txn=0 message="session timed out" | top user

Chris

Re: Has Splunk got a good memory ?

araitz — Tue, 23 Aug 2011 16:44:45 GMT

Here's a blog post I wrote about maintaining state with lookups:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

Re: Has Splunk got a good memory ?

Mahieu — Sat, 27 Aug 2011 17:04:00 GMT

Hi there and thanks a lot for this answer. I've tried that but removed keepevicted=true. If i leave ' search closed_txn=0 message="session timed out" ' i've got no results. If i remove it, i've got the events i'm looking for but it seems like the maxspan is not taken into account. No matter what time value i put, it's not filtering anything.

Here's my search :

sourcetype="xxxxxx" msg="login succeeded" OR msg="Session timed out" | transaction user startswith="Session timed out" endswith="login succeeded" maxspan=5min maxpause=1min (| search closed_txn=0 msg="Session timed out")

Re: Has Splunk got a good memory ?

Mahieu — Tue, 30 Aug 2011 09:14:05 GMT

Any ideas here ?

Re: Has Splunk got a good memory ?

Mahieu — Fri, 15 Jun 2012 08:50:48 GMT

It's been a while sorry, here's all i could come up with :
sourcetype=xxx msg="primary authentication successful" OR msg="session timed out" | transaction user startswith="session timed out" endswith="primary authentication successful" maxspan=5m | search msg="session timed out"

Seems to work pretty well.
Thanks for your help.