Hi Everyone,
I am trying to capture active sessions with transaction command but unsuccessful, searched answers.splunk.com i didnt get a solution for me which is working...
|transaction ipaddr host startwith="login.jsp" - gives me all transactions
|transaction ipaddr host startwith="login.jsp" endswith="logout.jsp" - gives me all completed transactions
almost tried all solutions given in answers.splunk.com except eventtype, need to try with that...
Any solutions with out having lookup tables ??
Hi All,
can any one give me the solution ?
Any solutions please for a straight forward requirement.
Maybe transaction
is not the tool for this job. This query will return the most recent of the logins and logouts for each ipaddr/host pair, which should find the 'logins' without a matching 'logout'.
index=foo ("login.jsp" OR "logout.jsp") | dedup ipaddr host | ...
event type not working with transaction, not only transaction with any subsearch
hi richgalloway,
Thanks for answering. from the solution you suggested i am missing below two:
transactions of user/ip from login to logout
events that are generated are unknown they are active/inactive
Thanks.
Active sessions are those ipaddr/host pairs that have a 'login'; inactive sessions will show a 'logout'.
Your OP did not mention needing all transactions between login and logout.
Hi richgalloway,
i have just seen again keeping your solution to get active login sessions, it gives me login.jsp transactions of which are completed, even we cant get count of active sessions also with this solution as per the output of the command.
Thanks.
yes i need events of active sessions as i mentioned i am trying to capture active sessions which means those events. 🙂