Dashboards & Visualizations
Highlighted

How to display a timefrime from two events ?

Engager

Hey guys,

I have a question. I have this search:

index=airlockwafappacpt sourcetype="ergon:airlock:waf:web:access" (httprequesturl="/portal/web/private-clients/") OR (httpmethod="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")

| table host, vhost, audittoken, srcip, sessionid, timerequest_total

This gives me two events. In the picture, down below, the first event contains the part "httprequesturl="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.

alt text

I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.

Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.

Thanks for your help

0 Karma
Highlighted

Re: How to display a timefrime from two events ?

Legend

@nicxso try the following search. (You can take out session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).

index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id
| search count>1
| eval duration=latestTime-_time
| where duration>10
| table host, vhost, audit_token, src_ip, session_id, time_request_total



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: How to display a timefrime from two events ?

Engager

@niketnilay

Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?

Thanks

0 Karma
Highlighted

Re: How to display a timefrime from two events ?

Legend

@nicxso if you want to display the duration for events you can use Timeline Custom Visualization




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to display a timefrime from two events ?

Engager

@niketnilay Would it also be possible to use the timechart command ?

0 Karma