Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the timestamps of the first and last events in a transaction?

BlueSocket
Communicator
‎11-10-2015 05:49 AM

Dear All,

I am setting up a report of Username, Logged in time, Logged out time, Internal and External IP Addresses from a VPN node log. I have already determined how I can get the identifying marks for the start and end events, the IP Addresses (all in different events - thank you) and I have created a transaction to group them together. Here is my search string, as is:

index=infrastructure sourcetype=syslog Session_Number="*" | transaction Session_Number | fields Outside_IP, Client_Inside_IP, login_username

However, I then want to use the Internal IP Address and start (logged in) and end (logged out) times and then use the data in a subsearch against other logs.

I know that I could use the stats command to get the Earliest and Latest times, but I need the other fields in the output, so I need a transaction and that would get me:

index=infrastructure sourcetype=syslog Session_Number="*" | stats earliest(_time) AS Login_Time, latest(_time) AS Logout_Time by Session_Number | convert ctime(Login_Time) ctime(Logout_Time)

However, do I put these two together to have both? Ideally, I would ask that Splunk add the fields _transaction_start_time and _transaction_end_time to the function, but that might be asking too much.

How do I do this, please?

Kindest regards,

BlueSocket

Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎11-10-2015 07:24 AM

There are a few ways to do this, here are a couple that come to mind:

  1. The time of the first event in the transaction is assigned to _time for the entire transaction. The transaction command automatically assigns a duration field to each transaction. You can eval the end time to be _time + duration. This gives you a per-transaction Login_Time and Logout_Time. So you'd end up with:
    ...beginning of your search and transaction | eval Login_Time=_time | eval Logout_Time=_time + duration | ...rest of your search or reporting commands...
    2.You could eval the start and end times before your transaction command in the search string, then when your transaction is built, the Login_Time and Logout_Times are added as fields to the transaction:

    ... your search before transaction | eval Login_Time=if(searchmatch("Received User-Agent header"),_time,null()) | eval Logout_Time=if(searchmatch("Session statistics - bytes in"),_time,null()) | transaction command and rest of search...

Hopefully one of those ideas will help you out.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎11-10-2015 07:24 AM

There are a few ways to do this, here are a couple that come to mind:

  1. The time of the first event in the transaction is assigned to _time for the entire transaction. The transaction command automatically assigns a duration field to each transaction. You can eval the end time to be _time + duration. This gives you a per-transaction Login_Time and Logout_Time. So you'd end up with:
    ...beginning of your search and transaction | eval Login_Time=_time | eval Logout_Time=_time + duration | ...rest of your search or reporting commands...
    2.You could eval the start and end times before your transaction command in the search string, then when your transaction is built, the Login_Time and Logout_Times are added as fields to the transaction:

    ... your search before transaction | eval Login_Time=if(searchmatch("Received User-Agent header"),_time,null()) | eval Logout_Time=if(searchmatch("Session statistics - bytes in"),_time,null()) | transaction command and rest of search...

Hopefully one of those ideas will help you out.

Reply
Solved! Jump to solution

BlueSocket
Communicator
‎11-10-2015 08:11 AM

Thanks for that. I prefer the "eval Login_Time=_time | eval Logout_Time=_time + duration" one - less work for the Search Head and less work than my solution.

0 Karma
Reply
Solved! Jump to solution

BlueSocket
Communicator
‎11-10-2015 07:09 AM

Erm, I think that I just worked it out, but can anyone give a better solution?

Firstly create the Search to create the Logon_Time and Logoff_Time values and then use appendcols with the transaction search:

index=infrastructure sourcetype=syslog Session_Number="*" | stats earliest(_time) AS Logon_Time, latest(_time) AS Logoff_Time by Session_Number | appendcols [ search index=infrastructure sourcetype=syslog Session_Number="*" | transaction Session_Number ] | convert ctime(Logon_Time) ctime(Logoff_Time)

Not very nice. I would prefer, however, to have the earliest and latest fields in the transaction command, though! Much simpler!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...