Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Capture Active transactions

hariram159
Explorer
‎05-09-2017 06:29 PM

Hi Everyone,

I am trying to capture active sessions with transaction command but unsuccessful, searched answers.splunk.com i didnt get a solution for me which is working...

|transaction ipaddr host startwith="login.jsp" - gives me all transactions
|transaction ipaddr host startwith="login.jsp" endswith="logout.jsp" - gives me all completed transactions

almost tried all solutions given in answers.splunk.com except eventtype, need to try with that...

Any solutions with out having lookup tables ??

Tags (1)
0 Karma
Reply

hariram159
Explorer
‎05-11-2017 09:50 AM

Hi All,

can any one give me the solution ?

0 Karma
Reply

hariram159
Explorer
‎05-10-2017 03:21 AM

Any solutions please for a straight forward requirement.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2017 07:01 PM

Maybe transaction is not the tool for this job. This query will return the most recent of the logins and logouts for each ipaddr/host pair, which should find the 'logins' without a matching 'logout'.

index=foo ("login.jsp" OR "logout.jsp") | dedup ipaddr host | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hariram159
Explorer
‎05-12-2017 11:02 PM

event type not working with transaction, not only transaction with any subsearch

0 Karma
Reply

hariram159
Explorer
‎05-09-2017 09:00 PM

hi richgalloway,

Thanks for answering. from the solution you suggested i am missing below two:

transactions of user/ip from login to logout
events that are generated are unknown they are active/inactive

Thanks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-10-2017 04:54 AM

Active sessions are those ipaddr/host pairs that have a 'login'; inactive sessions will show a 'logout'.

Your OP did not mention needing all transactions between login and logout.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hariram159
Explorer
‎05-11-2017 09:49 AM

Hi richgalloway,

i have just seen again keeping your solution to get active login sessions, it gives me login.jsp transactions of which are completed, even we cant get count of active sessions also with this solution as per the output of the command.

Thanks.

0 Karma
Reply

hariram159
Explorer
‎05-10-2017 05:57 AM

yes i need events of active sessions as i mentioned i am trying to capture active sessions which means those events. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...