Archive

Web Application Logs: How do you tie two separate records by session ID?

New Member

The scenario:

We are ingesting F5 ASM application logs. When a user first hits the login page and attempts to log in, the keypair is: query_string="cmd=login&languageCd=ENG"; additionally, the userid attribute is logged . If they enter in the wrong credentials, the querystring is changed to "cmd=login&languageCd=ENG&cmd=login&errorCode=105" and the userid attribute is not present in the record. In both of these different records, the sessionid is consistent.

I want to tie these two records using the session_id, so I can create a table that displays the usernames of people who failed to log in. Is there a way to do this with the "transaction" keyword? Thanks!

0 Karma

Splunk Employee
Splunk Employee

Yes, if the session_id is unique to a user's session, you can use transaction or stats with a by session_id clause.

| transaction session_id

OR

| stats values(user_id) by session_id