https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572160#M199412 <P>If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.</P><P>Anyway, it's easiest to correlate such sequences of events with a transaction.</P><P>You do</P><LI-CODE lang="markup">| transaction SessionID</LI-CODE><P>And you get events groupped into transactions. From those you can</P><LI-CODE lang="markup">| search "active connection or whatever you need"</LI-CODE><P>And finally get your userid field from matching transactions by means of "fields" or "table" commands.</P> Sun, 24 Oct 2021 16:32:56 GMT PickleRick 2021-10-24T16:32:56Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572129#M199392 <P>Hello,<BR /><BR />I'm trying to debug an issue with an FTP service. I'd like to know that which users are using 'active data connection', where the connecting point would only be the sessionID. I have already extracted sessionID and userID as fields.<BR /><BR />The logs for the sessions are varying between 150-3000 lines of events, and I don't know how to match my search criteria, to extract a userID connected to the sessionID that my search result is returning.&nbsp;<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">index=p_ftp sourcetype=debug "active data connection" | stats values(sessionID)</LI-CODE><P>&nbsp;</P><P><BR />This is giving me the sessionIDs properly, I just need the userIDs from the session it logged usually plenty of lines before.<BR /><BR />Can you please help me?<BR /><BR />Thanks a lot in advance</P> Sun, 24 Oct 2021 04:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572129#M199392 pbabos 2021-10-24T04:33:14Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572135#M199396 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240082">@pbabos</a>,</P><P>did you tried something like this:</P><LI-CODE lang="markup">index=p_ftp sourcetype=debug "active data connection" | stats values(userID) AS userID BY sessionID</LI-CODE><P>?</P><P>Ciao.</P><P>Giuseppe</P> Sun, 24 Oct 2021 05:52:50 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572135#M199396 gcusello 2021-10-24T05:52:50Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572136#M199397 <P>Show us a bit of your data. For now it's not obvious what's the relation (in your raw events) between UserID and SessionID.</P><P>If you have events matching UserID and SessionID - that's great, the possible solution has already been posted. But if you have distinct events - one specifying SessionID and another one with UserID - that won't be that easy. You'll need something to connect the events on.</P> Sun, 24 Oct 2021 06:48:14 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572136#M199397 PickleRick 2021-10-24T06:48:14Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572159#M199411 <P>ah yea sorry it would be much easier of course.<BR /><BR /></P><P>This is an example, where you can see the session number is 3082, user is ftptest_user, and I'm looking for the user of the session where my search matches 'active data connection opened'</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">2021-10-22 14:22:06,261 proftpd[3082] ftp.ip (client.ip[client.ip]): USER ftptest_user: Login successful. 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_core 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_vroot 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_auth 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching PRE_CMD command 'RETR monitor.txt' to mod_xfer 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): in dir_check_full(): path = '/monitor.txt', fullpath = '/monitor.txt' 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_vroot 2021-10-22 14:22:06,299 proftpd[3082] ftp.ip (client.ip[client.ip]): dispatching CMD command 'RETR monitor.txt' to mod_xfer 2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - local : ftp.ip:46490 2021-10-22 14:22:06,311 proftpd[3082] ftp.ip (client.ip[client.ip]): active data connection opened - remote : client.ip:9288</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 24 Oct 2021 16:07:17 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572159#M199411 pbabos 2021-10-24T16:07:17Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572160#M199412 <P>If I remember correctly, it's not a session ID as such, but a process idientifier for a particular process spawned from the main proftpd daemon to serve this client.</P><P>Anyway, it's easiest to correlate such sequences of events with a transaction.</P><P>You do</P><LI-CODE lang="markup">| transaction SessionID</LI-CODE><P>And you get events groupped into transactions. From those you can</P><LI-CODE lang="markup">| search "active connection or whatever you need"</LI-CODE><P>And finally get your userid field from matching transactions by means of "fields" or "table" commands.</P> Sun, 24 Oct 2021 16:32:56 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572160#M199412 PickleRick 2021-10-24T16:32:56Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572167#M199415 <P>wow thanks it worked like a charm <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 24 Oct 2021 18:18:52 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572167#M199415 pbabos 2021-10-24T18:18:52Z https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572171#M199417 <P>One more thing - as I said earlier - since your sessionID is actually a pid of proftpd process and might roll-over and repeat, you might tweak the transaction parameters a little (especially the duration and/or events triggering start/end of transaction). But if you don't have many clients, it might not be necessary.</P> Sun, 24 Oct 2021 20:08:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-users-having-a-type-of-connection-based-on-sessionID/m-p/572171#M199417 PickleRick 2021-10-24T20:08:22Z