I am trying to capture active sessions with transaction command but unsuccessful, searched answers.splunk.com i didnt get a solution for me which is working...
|transaction ipaddr host startwith="login.jsp" - gives me all transactions
|transaction ipaddr host startwith="login.jsp" endswith="logout.jsp" - gives me all completed transactions
almost tried all solutions given in answers.splunk.com except eventtype, need to try with that...
Any solutions with out having lookup tables ??
transaction is not the tool for this job. This query will return the most recent of the logins and logouts for each ipaddr/host pair, which should find the 'logins' without a matching 'logout'.
index=foo ("login.jsp" OR "logout.jsp") | dedup ipaddr host | ...
Thanks for answering. from the solution you suggested i am missing below two:
transactions of user/ip from login to logout
events that are generated are unknown they are active/inactive
Active sessions are those ipaddr/host pairs that have a 'login'; inactive sessions will show a 'logout'.
Your OP did not mention needing all transactions between login and logout.
i have just seen again keeping your solution to get active login sessions, it gives me login.jsp transactions of which are completed, even we cant get count of active sessions also with this solution as per the output of the command.