Active sessions overview: How to figure out if a u...

HaakonRuud · ‎01-18-2023

I've been struggeling for a while and hopefully someone here can help me.
Need to figure out if a user have an active session based on session id and user name.

Active session is defined as only event 21 received OR event 25 received has newer timestamp than event 24 received.

Not active session is defined if only event 21 AND event 24 is received OR event 24 received has newer
timestamp than event 25 received.

Search starts something like this:
index=main source=events EventCode IN (21,24,25) | fields _time, User, EventCode, Session_ID, host

Thanks in advance

PaulPanther · ‎01-18-2023

@HaakonRuud Please check out following search and let me know if it could be helpful and lead you into the right direction.

I'm currently not sure of the provided conditions and their time frames. Maybe someone else has a smarter way.

| makeresults count=8 
| streamstats count 
| eval event_id = case(count=1, "21", count=2, "25", count=3, "24", count=4, "24", count=5, "24", count=6, "21", count=7, "21", count=8, "25") 
| eval _time= case(count=1, "1673274655", count=2, "1673273755", count=3, "1673272855", count=4, "1673271955", count=5, "1673271055", count=6, "1673270155", count=7, "1673269255", count=8, "1673268355") 
| eval user = case(count=1, "userA", count=2, "userB", count=3, "userA", count=4, "userB", count=5, "userA", count=6, "userC", count=7, "userB", count=8, "userA") 
| stats list(event_id) as event_ids by user 
| makemv delim=";" event_ids 
| eval status=case(event_ids LIKE "25%","active",event_ids="21", "active", 1=1, "inactive")

Active sessions overview: How to figure out if a user have an active session based on session id and user name?

data

field extraction

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!