Splunk Enterprise Security

Duration between login and logout in an application

Path Finder

I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.

Now when i use transaction command i got below results:

index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))

type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a

type2, misleading (required help on this)
2020-01-20T06:15:13.103+0000, EVENT_TYPE=Login
2020-01-20T06:16:55.685+0000, EVENT_TYPE=Login
2020-01-20T06:29:07.445+0000, EVENT_TYPE=Logout
2020-01-20T06:29:07.446+0000, EVENT_TYPE=Logout
2020-01-20T06:41:22.856+0000, EVENT_TYPE=Login
2020-01-20T06:44:07.457+0000, EVENT_TYPE=Logout
2020-01-20T06:48:24.815+0000, EVENT_TYPE=Logout
2020-01-20T06:59:07.383+0000, EVENT_TYPE=Logout

Also when i had done this
index=abc sourcetype="abc" | stats count by EVENT_TYPE (for 24 hours)
Login - 5099
Logout - 1799


0 Karma


Hi @ayushchoudhary,
try addig to your transaction command the startswith and endswith options:

transaction user maxspan=24h startswith="Login" endswith="Logout"

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Transaction .


0 Karma

Path Finder

i tried using below 2 types and with each i got different results. can you help to let me know why?
transaction user startswith="(EVENT_TYPE=Login)" endswith="(EVENT_TYPE=Logout)" maxspan=* - i got 725 results over 24 hours

transaction user startswith="(EVENT_TYPE=Logout)" endswith="(EVENT_TYPE=Login)" maxspan=* . - i got 282 results over 24 hours.

same data set used

0 Karma


Hi @ayushchoudhary,
with the first transaction you have a normal correlation that starts with login and ends with logout; the second one correlates different events and probably it isn't useful for you because you don't have the duration of a transaction but the period between a logout and the following login.
In other words, if you have
1 Login
2 logout
3 login
4 login
5 logout
6 login
7 logout
with the first transaction command you have the following transactions:
instead with the second transaction command, you have:


0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...