Knowledge Management

Web Application Logs: How do you tie two separate records by session ID?

New Member

The scenario:

We are ingesting F5 ASM application logs. When a user first hits the login page and attempts to log in, the keypair is: query_string="cmd=login&languageCd=ENG"; additionally, the userid attribute is logged . If they enter in the wrong credentials, the query_string is changed to "cmd=login&languageCd=ENG&cmd=login&errorCode=105" and the userid attribute is not present in the record. In both of these different records, the session_id is consistent.

I want to tie these two records using the session_id, so I can create a table that displays the usernames of people who failed to log in. Is there a way to do this with the "transaction" keyword? Thanks!

0 Karma

Splunk Employee
Splunk Employee

Yes, if the session_id is unique to a user's session, you can use transaction or stats with a by session_id clause.

| transaction session_id


| stats values(user_id) by session_id

Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...