Hi,
I want to calculate the session time of a user in Splunk. Current scenario is that I have multiple users using same user credentials, so I can see number of logins and number of log-outs are different. Hence, I'm facing difficulty in calculating sessions and identifying session IDs.
Can anyone please help in these?
Thanks!
My first advice is, stop that. It's just bad practice to let multiple users use the same ID, without a lockbox/checkout facility that identifies the actual user at any given time.
My second advice is that the splunk logon captures the IP of the user, so you can use the src=1.1.1.1
on the action="login attempt"
event to differentiate them (at least to collect the same person's stuff together). Hopefully you have some other logs that will help you figure out who has any given IP at any given time.
Can you share your search language as to how you are capturing the logons and logoffs?
Hi DalJeanis,
I am currently using the below query to find the user login and logout.
index=_audit sourcetype=audittrail user=* action=log* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by _time user action status | append [search index=_internal sourcetype=splunk_web_service user=* action=log* | stats count by _time user action status] | table _time user action status count | sort - _time
Thanks!
Mousumi Chowdhury