I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.
Now when i use transaction command i got below results:
index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))
type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a
i tried using below 2 types and with each i got different results. can you help to let me know why?
transaction user startswith="(EVENT_TYPE=Login)" endswith="(EVENT_TYPE=Logout)" maxspan=* - i got 725 results over 24 hours
transaction user startswith="(EVENT_TYPE=Logout)" endswith="(EVENT_TYPE=Login)" maxspan=* . - i got 282 results over 24 hours.
with the first transaction you have a normal correlation that starts with login and ends with logout; the second one correlates different events and probably it isn't useful for you because you don't have the duration of a transaction but the period between a logout and the following login.
In other words, if you have
with the first transaction command you have the following transactions:
instead with the second transaction command, you have: