Knowledge Management

Web Application Logs: How do you tie two separate records by session ID?

juanlazarosanch
New Member

The scenario:

We are ingesting F5 ASM application logs. When a user first hits the login page and attempts to log in, the keypair is: query_string="cmd=login&languageCd=ENG"; additionally, the userid attribute is logged . If they enter in the wrong credentials, the query_string is changed to "cmd=login&languageCd=ENG&cmd=login&errorCode=105" and the userid attribute is not present in the record. In both of these different records, the session_id is consistent.

I want to tie these two records using the session_id, so I can create a table that displays the usernames of people who failed to log in. Is there a way to do this with the "transaction" keyword? Thanks!

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Yes, if the session_id is unique to a user's session, you can use transaction or stats with a by session_id clause.

| transaction session_id

OR

| stats values(user_id) by session_id

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...