Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duration between login and logout in an application

ayushchoudhary
Path Finder
‎01-20-2020 12:23 AM

I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.

Now when i use transaction command i got below results:

index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))

type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a

type2, misleading (required help on this)
2020-01-20T06:15:13.103+0000, EVENT_TYPE=Login
2020-01-20T06:16:55.685+0000, EVENT_TYPE=Login
2020-01-20T06:29:07.445+0000, EVENT_TYPE=Logout
2020-01-20T06:29:07.446+0000, EVENT_TYPE=Logout
2020-01-20T06:41:22.856+0000, EVENT_TYPE=Login
2020-01-20T06:44:07.457+0000, EVENT_TYPE=Logout
2020-01-20T06:48:24.815+0000, EVENT_TYPE=Logout
2020-01-20T06:59:07.383+0000, EVENT_TYPE=Logout

Also when i had done this
index=abc sourcetype="abc" | stats count by EVENT_TYPE (for 24 hours)
Login - 5099
Logout - 1799

PLEASE HELP

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 12:32 AM

Hi @ayushchoudhary,
try addig to your transaction command the startswith and endswith options:

transaction user maxspan=24h startswith="Login" endswith="Logout"

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Transaction .

Ciao.
Giuseppe

0 Karma
Reply

ayushchoudhary
Path Finder
‎01-20-2020 12:46 AM

i tried using below 2 types and with each i got different results. can you help to let me know why?
transaction user startswith="(EVENT_TYPE=Login)" endswith="(EVENT_TYPE=Logout)" maxspan=* - i got 725 results over 24 hours

transaction user startswith="(EVENT_TYPE=Logout)" endswith="(EVENT_TYPE=Login)" maxspan=* . - i got 282 results over 24 hours.

same data set used

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 01:01 AM

Hi @ayushchoudhary,
with the first transaction you have a normal correlation that starts with login and ends with logout; the second one correlates different events and probably it isn't useful for you because you don't have the duration of a transaction but the period between a logout and the following login.
In other words, if you have
1 Login
2 logout
3 login
4 login
5 logout
6 login
7 logout
with the first transaction command you have the following transactions:
1-2
3
4-5
6-7
instead with the second transaction command, you have:
2-3
5-6

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...