https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624237#M217032 <P>Try again without the <FONT face="courier new,courier">reverse</FONT> command.&nbsp; The <FONT face="courier new,courier">transaction</FONT> command makes assumptions about the order of events and <FONT face="courier new,courier">reverse</FONT> messes with that.</P> Wed, 14 Dec 2022 13:40:08 GMT richgalloway 2022-12-14T13:40:08Z https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624141#M216988 <P>I have daily user login/logout data like this:</P> <PRE>date,user,action<BR />2020-04-14 01:00:00,user1,login<BR />2020-04-14 01:05:00,user2,login<BR />2020-04-14 01:10:00,user3,login<BR />2020-04-14 02:40:00,user2,logout<BR />2020-04-14 02:50:00,user3,logout<BR />2020-04-14 03:10:00,user2,login<BR />2020-04-14 03:10:00,user1,logout<BR />2020-04-14 03:30:00,user3,login<BR />2020-04-14 04:20:00,user2,logout</PRE> <P>Users can login/logout multiple times in a day. A session closes and then new session opens. (like user2) I need to get the duration for every session and there is no session id.</P> <P>How can i merge this two events in one row: Login and first logout after login. Like this:</P> <PRE>login_date,logout_date,user<BR />2020-04-14 01:00:00,2020-04-14 03:10:00,user1<BR />2020-04-14 01:05:00,2020-04-14 02:40:00,user2<BR />2020-04-14 01:10:00,2020-04-14 02:50:00,user3<BR />2020-04-14 03:10:00,2020-04-14 04:20:00,user2<BR />2020-04-14 03:30:00,-,user3&nbsp;</PRE> Tue, 13 Dec 2022 15:17:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624141#M216988 alissan 2022-12-13T15:17:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624163#M216995 <P>Here's a solution that uses the <FONT face="courier new,courier">transaction</FONT> command.</P><LI-CODE lang="markup">&lt;&lt;your search for events&gt;&gt; | transaction user startswith="login" endswith="logout" keeporphans=1 | eval login_date=mvindex(date,0), logout_date=mvindex(date, 1) | table login_date, logout_date, user</LI-CODE><P>Perhaps someone else can suggest a solution that does not use the hated <FONT face="courier new,courier">transaction</FONT> command.</P> Tue, 13 Dec 2022 16:30:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624163#M216995 richgalloway 2022-12-13T16:30:58Z https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624229#M217029 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, i tried your suggest.</P><P>But the result is wrong:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-12-14 at 14.34.34.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23002i2205C4B5EED8061A/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2022-12-14 at 14.34.34.png" alt="Screenshot 2022-12-14 at 14.34.34.png" /></span></P><P>&nbsp;</P><P>And i tried this search (this query is too complex, there may be a shorter and safer solution):</P><PRE>sourcetype="vpn_duration"<BR />|reverse<BR />|eval c1=1<BR />|streamstats sum(c1) as sum by user,action<BR />|eval session_id=user+"@@"+sum<BR />|table date,session_id,action<BR />|stats list(date) as date_list,list(action) by session_id<BR />|eval login_date=mvindex(date_list,0), logout_date=mvindex(date_list,-1)<BR />|eval session_id_temp=split(session_id,"@@")<BR />|eval username=mvindex(session_id_temp,0)<BR />|table username,login_date,logout_date</PRE><P><BR />Result:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-12-14 at 14.39.09.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23003i67EC57D2E583A010/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2022-12-14 at 14.39.09.png" alt="Screenshot 2022-12-14 at 14.39.09.png" /></span></P> Wed, 14 Dec 2022 11:52:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624229#M217029 alissan 2022-12-14T11:52:15Z https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624237#M217032 <P>Try again without the <FONT face="courier new,courier">reverse</FONT> command.&nbsp; The <FONT face="courier new,courier">transaction</FONT> command makes assumptions about the order of events and <FONT face="courier new,courier">reverse</FONT> messes with that.</P> Wed, 14 Dec 2022 13:40:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624237#M217032 richgalloway 2022-12-14T13:40:08Z https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624243#M217035 <P>It's works. Thank you.</P> Wed, 14 Dec 2022 14:35:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-first-logout-after-login/m-p/624243#M217035 alissan 2022-12-14T14:35:43Z