topic How to calculate length of session in Splunk Search

How to calculate length of session

crobicha — Thu, 03 Nov 2011 22:00:35 GMT

I have ssh events in the following log format:

sshd[31922]: pam_unix(sshd:session): session closed for user root

sshd[31922]: pam_unix(sshd:session): session opened for user root by (uid=0)

sshd[30954]: pam_unix(sshd:session): session closed for user root

sshd[30954]: pam_unix(sshd:session): session opened for user root by (uid=0)
...

How difficult would it be to generate a report each week that lists each session and its length?

It seems like I need to do something similar to this thread (http://splunk-base.splunk.com/answers/4886/eval-time-between-events-for-transaction-by-group), but I'm not sure exactly how I would apply this to my situation - how do I ensure that the proper session open and close events are correlated?

Re: How to calculate length of session

Ayn — Thu, 03 Nov 2011 22:22:18 GMT

Looking at the question you linked to, that one covers how to calculate the time between sessions whereas in your case you need to calculate the time within the session. This should be pretty easy to achieve by creating a transaction based on the pid. Assuming you have the pid extracted into a field with the same name, just do

... | transaction pid startswith="session opened" endswith="session closed"

When the transaction command creates transactions, it always outputs a field for each transaction called "duration", which is exactly what it sounds like - the duration of the transaction, in seconds. So to get a table of all sessions and their lengths, do something like this (assuming you have the user extracted into a field called "user"):

... | transaction pid startswith="session opened" endswith="session closed" | table _time user duration

Re: How to calculate length of session

crobicha — Fri, 04 Nov 2011 14:18:40 GMT

Thanks Ayn, that's exactly what I needed!