I need to take out the duration between login and logout of a user from an application.
there are two senario for the same:
1. user a login at 9 AM log out at 9:15 AM then login at 10AM and logout at 10:30 AM
2. user b login at 8 AM and close the browser after few mins then login back at 9:30 AM and logout at 10AM.
Now when i use transaction command i got below results:
index=abc sourcetype="abc" EVENT_TYPE=Login OR EVENT_TYPE=Logout user=* | transaction user Event_TYPE ((for 24 hours))
type1, straight forward:
2020-01-20T06:42:07.861+0000, EVENT_TYPE=Login, user a
2020-01-20T06:44:07.456+0000, EVENT_TYPE=Logout, user a
type2, misleading (required help on this)
Also when i had done this
index=abc sourcetype="abc" | stats count by EVENT_TYPE (for 24 hours)
Login - 5099
Logout - 1799
try addig to your transaction command the startswith and endswith options:
transaction user maxspan=24h startswith="Login" endswith="Logout"
for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Transaction .
i tried using below 2 types and with each i got different results. can you help to let me know why?
transaction user startswith="(EVENT_TYPE=Login)" endswith="(EVENT_TYPE=Logout)" maxspan=* - i got 725 results over 24 hours
transaction user startswith="(EVENT_TYPE=Logout)" endswith="(EVENT_TYPE=Login)" maxspan=* . - i got 282 results over 24 hours.
same data set used
with the first transaction you have a normal correlation that starts with login and ends with logout; the second one correlates different events and probably it isn't useful for you because you don't have the duration of a transaction but the period between a logout and the following login.
In other words, if you have
with the first transaction command you have the following transactions:
instead with the second transaction command, you have: