Splunk Enterprise

Compare _time of 2 events

g_paternicola
Path Finder

Hi everyone,

I have two event:

first event with the event_name=LOGIN
second event with event_name LOGOUT

I need to get only events with event_name=LOGIN, but only if the event_name=LOGIN time is newer then the event_name LOGOUT

Is there a possibility to do so? Thank you very much for helping me!

Labels (3)
Tags (1)
0 Karma
1 Solution

aasabatini
Motivator

@g_paternicola 

sorry man I forgot the double quotes 😅

| eval time_login=if(event_name="LOGIN",_time,"")
| eval time_logout=if(event_name="LOGOUT",_time,"")
| where time_login > time_logout

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Tags (1)

g_paternicola
Path Finder

Hi Alessandro

Thank you for your search,  unfortunately, I do not get any data back... 
This is the time I will get:

g_paternicola_0-1621242316369.png

I this case, logout is newer then login, so I should not get any data back...



0 Karma

aasabatini
Motivator

Hi @g_paternicola 

I'm not sure if I understand but try this:

| eval time_login=if(event_name=LOGIN,_time,"")
| eval time_logout=if(event_name=LOGOUT,_time,"")
| where time_login > time_logout

If I missed the point please give more details

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

aasabatini
Motivator

Hi @g_paternicola 

please show me the result of this search

| eval time_login=if(event_name=LOGIN,_time,"")
| eval time_logout=if(event_name=LOGOUT,_time,"")
| tale event_name time_login time_logout

 event_name=LOGIN newer than event_logout do you mean more recent?

thanks in advance

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

g_paternicola
Path Finder

Yes, with newer I mean more recent:
I will get this result:



0 Karma

aasabatini
Motivator

@g_paternicola 

sorry man I forgot the double quotes 😅

| eval time_login=if(event_name="LOGIN",_time,"")
| eval time_logout=if(event_name="LOGOUT",_time,"")
| where time_login > time_logout

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)

g_paternicola
Path Finder

It works now... Grazie!

0 Karma

aasabatini
Motivator

@g_paternicola  Prego!

if works please accept the solution

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...