Can someone tell me what in the Authentication data model distinguishes between login and logout?
I know for sure that I am not mapping logout to the authentication data model because
|datamodel Authentication Authentication search | search index=<meaningful index>
only shows login events.
But I am not sure what the right way is to include logout events. I am sure that I can add the Authentication tag for those events, but then what do I add to distinguish login from logout?
to my understanding of that datamodel, Authentication is ONLY for the authentication process, not for monitoring the underlying session and thus will only show login events and only has two meaningful action states: "success" and "failure". Check the Network_Session datamodel to track your sessions and use the "start" and "end" tags to mark session login and logoff respectively.
If you are dig into the datamodel itself of 'Authentication' you will see two a subset of Authentication datamodels. In those you should see "Successful Authentication," Unsuccessful Authentication," etc. The subset names may not be exactly that but you should see those once you open up the 'Authentication' datamodel and poke around.
Once you find those names, the search would be something along the lines below:
|datamodel Authentication Successful Authentication search...
Also, with your search, I would try to map back indexes to specific datamodels to improve overall performance. You can do this with the Splunk Common Informaton Model (CIM) Addon: https://splunkbase.splunk.com/app/1621/
Thank you for your thoughts. My question was about login vs logout. Logout is not an unsuccessful authentication. I guess maybe logout is not authentication at all, but it sure seems highly relevant to understanding authentication.