topic dynamic lookup based upon dynamic token in Splunk Search

dynamic lookup based upon dynamic token

tyronetv — Wed, 29 Jan 2014 14:04:40 GMT

When my users log into my system they are identified with a token number that follows all of their activity going forward during that session.

What I want to do is say login=john.smith@hostname.com and have it track all the log entries that have the corresponding token. (-459867834847833)

Each time a user log's in, they get a new token.

Suggestions?

Re: dynamic lookup based upon dynamic token

Ayn — Wed, 29 Jan 2014 15:37:51 GMT

The challenge here I guess is that if you filter by "login=john.smith@hostname.com" you will get the token, BUT you filter out the other events that have the token but not the login info. A way of solving this would be to run this filter in a subsearch that emits all corresponding tokens for a certain login, and the outer search then grabs all events with these tokens. Finally use transaction for tying sessions with the same token value together. Assuming you have tokens extracted into a field called token:

* [search login=john.smith@hostname.com | fields token] | transaction token

Re: dynamic lookup based upon dynamic token

tyronetv — Wed, 29 Jan 2014 15:52:02 GMT

I do something today that matches this and it works just fine. What I want is something I can put in props/transforms and allow other users to run the searches without teaching them this level of syntax.

I.e., just teach the support guy to type 'login = ??'

The system records the login ID only once, on the entry wherein the token is assigned. From that point forward, every log entry references the token only.

Re: dynamic lookup based upon dynamic token

Ayn — Wed, 29 Jan 2014 15:55:58 GMT

Right, so wouldn't this be solved by actually using this search but wrapping it inside some kind of form search view that lets users enter the login without having to worry about what goes on behind the scenes?