Solved: summary index and transactions spanning more than ...

jskopis5668 · ‎08-31-2011

I would like to build a summary index (runs hourly) of the following:

sourcetype=http_access | transaction SESSION_ID maxspan=1800s maxpause=120s | sistats count

The summary index works fine but I am worried the same session is counted twice if the session more than one summary interval.

Lets say user X starts a session at 13:59. The user makes a requests at 13:59, 14:00, 14:01

The session is counted once for the 13th hour but then it's counted again for the 14th hour.

Is there a way to exclude sessions that were started in the previous interval?

I think what I want is to run the summary query every 30min looking at the previous hour. However I want to exclude transactions where the transaction start time is greater than 30min ago.

jskopis5668 · ‎08-31-2011

There was an old forum post about this one. Thanks duckfez:

http://www.splunk.com/support/forum:SplunkReporting/3870

I should add that I ended up doing this:

earliest=-90m | transaction SESSION_ID maxspan=1800s maxpause=120s | where _time < relative_time(time(), "-30m") and _time > relative_time(time(),"-60m")

View solution in original post

jskopis5668 · ‎08-31-2011

There was an old forum post about this one. Thanks duckfez:

http://www.splunk.com/support/forum:SplunkReporting/3870

I should add that I ended up doing this:

earliest=-90m | transaction SESSION_ID maxspan=1800s maxpause=120s | where _time < relative_time(time(), "-30m") and _time > relative_time(time(),"-60m")

jskopis5668 · ‎08-31-2011

There was an old forum post about this one. Thanks duckfez:

http://www.splunk.com/support/forum:SplunkReporting/3870

summary index and transactions spanning more than one summary interval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?