topic Re: Search for group user activities based on Login Logout time in Splunk Search

How to search for group user activities based on Login Logout time?

neerajs_81 — Tue, 12 Apr 2022 16:22:12 GMT

Gentlemen

My raw events have a field called login_time which has values of format ( 2022-04-11 10:52:08 ) . This is the time an user logs in to the system. There is no logout_time field in raw data. Now, the requirement is to track all activities done by the user starting from login_time and ending with login_time + 8 hours.

1) How do i add this 8 hours to the login_time in my search ? Do i create an eval function something like eval logout_time = login time + 8:00:00 ?
2) Transaction works with strings in startswith and endswith. Can it be used to track time which is in numerical format as shown in below query ? If not, how else to group all events done by the user within the login and logout time ?

index=xxxx transaction startswith ="2022-04-11 10:52:08" endswith="2022-04-11 10:52:08 + 8 hrs" | stats .... by user

Hope i am clear

Re: Search for group user activities based on Login Logout time

sperkins — Mon, 11 Apr 2022 19:17:49 GMT

try:

| eval Epoch_login =strptime(login_time,”%Y-%m-%d %H:%M:%S”)

| eval log_out = relative_time(Epoch_login,"+8h")

Use %I instead of %H, if it isn't in 24 hour time format, but in 12 hour.

To use relative_time the time has to be in Epoch which is why I converted it first. Then added 8 hours to the epoch time to give you the log_out time

https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#relative_time.28.26.2360.3Btime.26.2362.3B.2C.26lt.3Bspecifier.26gt.3B.29

Re: Search for group user activities based on Login Logout time

sperkins — Mon, 11 Apr 2022 19:16:56 GMT

You can use fields to group transactions together. So group it by the user field and use the maxspan time to make sure the first activities and last are no more than 8 hours apart.

| transaction user maxspan=8h

Re: Search for group user activities based on Login Logout time

neerajs_81 — Tue, 12 Apr 2022 05:47:43 GMT

if i use | transaction user maxspan=8h , how can i tell Splunk where to start from ? Any way to tell it to do something like this ?

| transactions startswith="2022-04-11 08:00:00" maxspan=8h

Though in this case it will end up considering the timestamp mentioned above , as a string and so won't be able to add 8hours to it, and eventually the maxspan=8h will fail.

Re: Search for group user activities based on Login Logout time

neerajs_81 — Tue, 12 Apr 2022 05:58:28 GMT

@sperkins If i use these 2 evals, i see the value of eval is in Unix time. So, will something like this work to get me all the activities performed by the user in that interval ?

 | where _time > Epoch_login and _time < = log_out

Re: Search for group user activities based on Login Logout time

PickleRick — Tue, 12 Apr 2022 06:35:21 GMT

Try and see, as a colleague of mine in previous workplace used to say 😉

But no, it won't be that simple. If you dom those evals you'll have the logout time in the login event. The search command doesn't know about this value. You'd need to either distribute it to the events as an additional fields with eventstats/streamstats to then filter on a condition similar to that you just wrote. Or you can use transaction, as someone already showed.

One caveat though - what will happen if someone logs in twice during thkse 8 hours? And what would you like to get as a result in this case?

Re: Search for group user activities based on Login Logout time

sperkins — Tue, 12 Apr 2022 13:39:36 GMT

You could do
| transaction user startswith=(login_time=* ) maxspan=8h

This will group events by the user, where the first event starts with login_time and it won't go more than eight hours. That way it can start with the time of login.

Unless you want it to start from a certain time. In which case the string time value makes sense.