Hey guys,
I have a question. I have this search:
index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/") OR (http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| table host, vhost, audit_token, src_ip, session_id, time_request_total
This gives me two events. In the picture, down below, the first event contains the part "http_request_url="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.
I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.
Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.
Thanks for your help
@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0"
from the main search once you are done testing).
index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0"
from the main search once you are done testing).
index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total
@niketnilay
Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?
Thanks
@niketnilay Would it also be possible to use the timechart command ?
@nicxso if you want to display the duration for events you can use Timeline Custom Visualization