topic How to track transaction with multiple indexes with different fields? in Splunk Search

How to track transaction with multiple indexes with different fields?

jkang117 — Wed, 02 Nov 2022 15:20:54 GMT

Hello everyone. I am trying to track office and remote logins using multiple indexes with the transaction command. One of the logs has a session id so I am able to use a transaction command to track that but it's the second piece that is difficult. The other index does not have a session id and the only thing that is similar is the username field. For remote logins, if a user signs into the remote desktop app, it will generate an authentication event along with a session id. The other index will also generate a login event. The authentication event and login event are at most a second apart, but in most circumstances are at the same exact time. If a user were to login from the office, only a login event is captured. My query is as follows but there are some issues to the results I am seeing.

(index=connection_log username="user" message="logged in") OR (index=remote_app username="user" action=auth OR action=terminateSession) | transaction username maxspan=2s keeporphans=true | transaction session_id startswith=auth endswith=terminateSession

I've tried using subsearches as well but am unable to get the desired results. Wondering if anyone else has tried to do something similar. Your help would be appreciated.

Thank you

Re: Transaction with multiple indexes with different fields

johnhuang — Wed, 02 Nov 2022 04:09:38 GMT

If a user logged in from the office, how would you tell if/when they logged off or offline?

Re: Transaction with multiple indexes with different fields

gcusello — Wed, 02 Nov 2022 07:23:33 GMT

Hi @jkang117,

lete me understand: you want to find if a user uses in the same time period (2 seconds) both local and remote access that are in different indexes and the only common field is username, is it correct?

If this is your need, you should try a different approach using sìa streming command as stats or timechart:

so see my approach and adapt it to your need:

(index=connection_log username="user" message="logged in") OR (index=remote_app username="user" (action=auth OR action=terminateSession)) | timechart span=2s dc(index) AS index_count BY username | where index_count>1

The transaction command can be used only if you haven't any other solution because it's a very slow command, and using two transaction commands, as you search, you can run a search and then go to take a coffe waiting for the answer!

I don't know if my search is exactly what you're searching, but analyze my approach and try to use it.

Ciao.

Giuseppe

Re: Transaction with multiple indexes with different fields

jkang117 — Wed, 02 Nov 2022 14:32:08 GMT

There isn't a way to really track that in the logs. What I can definitively track are remote login sessions since there is a session id associated to it.

Re: Transaction with multiple indexes with different fields

jkang117 — Wed, 02 Nov 2022 14:38:47 GMT

Hi @gcusello,

So to explain, the connection log shows that a user logged in regardless of whether or not the user is coming in remotely or locally at the office. The way to determine if a user is logging in remotely, a user will sign into the remote application and it will generate a login event on the connection at most within 2 seconds. If they are logging from the office, there will only be a login event from the connection log. The issue I am running into is, there are times users might login multiple times within the same session and I'm having difficulty accounting for those logins.