I have a question. I have this search:
index=airlockwafappacpt sourcetype="ergon:airlock:waf:web:access" (httprequesturl="/portal/web/private-clients/") OR (httpmethod="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0")
| table host, vhost, audittoken, srcip, sessionid, timerequest_total
This gives me two events. In the picture, down below, the first event contains the part "httprequesturl="/portal/web/private-clients/"" value and the second event contains the (http_method="POST") value. Both have the same session id.
I would like to create a dashboard where it shows a time frame with the duration between this two events. The result of the duration should be 10 seconds.
Is there a way where you don't have to use the transaction command or is there any other way ? Kinda curious.
Thanks for your help
@nicxso try the following search. (You can take out
session_id="79626ba1b6e186c9011b4ae82dc724c0" from the main search once you are done testing).
index=airlock_waf_app_acpt sourcetype="ergon:airlock:waf:web:access" (http_request_url="/portal/web/private-clients/" OR http_method="POST") AND (session_id="79626ba1b6e186c9011b4ae82dc724c0") | stats count by min(_time) as _time max(_time) as latestTime values(host) as host values(audit_token) as audit_token values(src_ip) as src_ip values(time_request_total) as time_request_total by session_id | search count>1 | eval duration=latestTime-_time | where duration>10 | table host, vhost, audit_token, src_ip, session_id, time_request_total
Thanks, I will try it out the search later. I would also like to use the search to display a timeline, where the X-Axis is showing the time from this two events and on the Y-Axis the duration. How can I do that ? Could I just use the timechart command? How would the search look like ?