Splunk Enterprise Security
Highlighted

Searchmatch need to verify either of two field values/events

Explorer

Hi All,

Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution.
https://answers.splunk.com/answers/815659/how-to-get-multiple-events-into-single-row-or-tabl.html

As i see partial logout sessions too. I need to have searchmatch either Successful logout or Partial logout should match timestamp and it should reflect in the report.
If I use asterisk "1030105*:5" it display another event country timestamp event.

103010521:5 -- Successful logout
103010502:5 -- Partial logout
103010502:5 -- resource assigned
103010009:5 -- username
103010500:5 -- country
103010506:5 -- User Agent

index=xyz hostname=device* sessionid=*
| rename COMMENT as "limit to needed fields"
| fields hostname, session_id, username, country, clientip

| rename COMMENT as "set the start and end times"
| eval sessionstart=if(searchmatch("103010005:5"),time,null())
| eval sessionend=if(searchmatch("103010521:5"),time,null())

| rename COMMENT as "roll the records together"
| stats values(*) as * by hostname session_id

| rename COMMENT as "format the time fields"
| convert ctime(sessionstart) ctime(sessionend)

| rename COMMENT as "present the results"
| table hostname, sessionid, username, country, clientip, sessionstart, session_end

I need session end time either of the event Successful -logout or Paritial logout event. it should calculate whichever event is reflected first/last. 103010521:5 -- Successful logout / 103010502:5 -- Partial logout

0 Karma
Highlighted

Re: Searchmatch need to verify either of two field values/events

Ultra Champion

your epoch(searchmatch)03010005 is 47 years ago. really?

0 Karma