Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duration between login and logout in an application

ayushchoudhary
Path Finder
‎01-20-2020 12:23 AM

I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.

Now when i use transaction command i got below results:

index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))

type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a

type2, misleading (required help on this)
2020-01-20T06:15:13.103+0000, EVENT_TYPE=Login
2020-01-20T06:16:55.685+0000, EVENT_TYPE=Login
2020-01-20T06:29:07.445+0000, EVENT_TYPE=Logout
2020-01-20T06:29:07.446+0000, EVENT_TYPE=Logout
2020-01-20T06:41:22.856+0000, EVENT_TYPE=Login
2020-01-20T06:44:07.457+0000, EVENT_TYPE=Logout
2020-01-20T06:48:24.815+0000, EVENT_TYPE=Logout
2020-01-20T06:59:07.383+0000, EVENT_TYPE=Logout

Also when i had done this
index=abc sourcetype="abc" | stats count by EVENT_TYPE (for 24 hours)
Login - 5099
Logout - 1799

PLEASE HELP

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 12:32 AM

Hi @ayushchoudhary,
try addig to your transaction command the startswith and endswith options:

transaction user maxspan=24h startswith="Login" endswith="Logout"

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Transaction .

Ciao.
Giuseppe

0 Karma
Reply

ayushchoudhary
Path Finder
‎01-20-2020 12:46 AM

i tried using below 2 types and with each i got different results. can you help to let me know why?
transaction user startswith="(EVENT_TYPE=Login)" endswith="(EVENT_TYPE=Logout)" maxspan=* - i got 725 results over 24 hours

transaction user startswith="(EVENT_TYPE=Logout)" endswith="(EVENT_TYPE=Login)" maxspan=* . - i got 282 results over 24 hours.

same data set used

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 01:01 AM

Hi @ayushchoudhary,
with the first transaction you have a normal correlation that starts with login and ends with logout; the second one correlates different events and probably it isn't useful for you because you don't have the duration of a transaction but the period between a logout and the following login.
In other words, if you have
1 Login
2 logout
3 login
4 login
5 logout
6 login
7 logout
with the first transaction command you have the following transactions:
1-2
3
4-5
6-7
instead with the second transaction command, you have:
2-3
5-6

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...