Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using transaction to detect timeouts

jbrenner
Path Finder
‎08-31-2017 10:35 AM

I would like to use the transaction command to find adjacent log entries with the same IP and different Session IDs.
Ideally, I would only like to return adjacent pairs of log statements with at least a 15 minute timestamp difference between them.

Here is the REX I'm using to extract SESSION_ID:

rex field=_raw "-S:(?<SESSION_ID>\w+)-"

Thanks!
Jonathan

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2017 05:28 PM

Try this:

Your Base Search Here
|  rex field=_raw "-S:(?<SESSION_ID>\w+)-"
| streamstats time_window=900 min(_time) AS start range(_time) AS duration values(SESSION_ID) dc(SESSION_ID) AS numSessions BY host
| search numSessions>1
0 Karma
Reply

cmerriman
Super Champion
‎08-31-2017 12:12 PM

some examples of your data would be helpful. transaction will only allow you to put in arguments for max pause, though you could search for durations after the fact. 

|transaction IP SESSION_ID maxevents=2|search duration>=900

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Transaction

i prefer streamstats, myself.

|sort 0 IP SESSION_ID + _time
| streamstats window=1 current=f values(_time) as previousTime by IP SESSION_ID|eval duration=_time-previousTime|search duration>=900

http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Streamstats

just for ideas.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...