Splunk Enterprise Security

Searchmatch need to verify either of two field values/events


Hi All,

Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution.

As i see partial logout sessions too. I need to have searchmatch either Successful logout or Partial logout should match timestamp and it should reflect in the report.
If I use asterisk "1030105*:5" it display another event country timestamp event.

103010521:5 -- Successful logout
103010502:5 -- Partial logout
103010502:5 -- resource assigned
103010009:5 -- username
103010500:5 -- country
103010506:5 -- User Agent

index=xyz hostname=device_* session_id=*
| rename COMMENT as "limit to needed fields"
| fields hostname, session_id, username, country, clientip

| rename COMMENT as "set the start and end times"
| eval session_start=if(searchmatch("103010005:5"),_time,null())
| eval session_end=if(searchmatch("103010521:5"),_time,null())

| rename COMMENT as "roll the records together"
| stats values(*) as * by hostname session_id

| rename COMMENT as "format the time fields"
| convert ctime(session_start) ctime(session_end)

| rename COMMENT as "present the results"
| table hostname, session_id, username, country, clientip, session_start, session_end

I need session end time either of the event Successful -logout or Paritial logout event. it should calculate whichever event is reflected first/last. 103010521:5 -- Successful logout / 103010502:5 -- Partial logout

0 Karma

Ultra Champion

your epoch(searchmatch)03010005 is 47 years ago. really?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>