Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Finding Events Between Other Events

DLThurston
Observer
‎02-12-2021 06:06 AM

I might be confusing myself by making this harder than it is...

Say I have a log where the events are:

LOGIN
ACTION (1)
ACTION (2)
LOGOUT
LOGIN
ACTION (3)
ACTION (4)
ACTION (5)
LOGOUT

What I would like is to be able to display all the ACTION events that happened between just the first LOGIN/LOGOUT pair and output:

ACTION (1)
ACTION (2)

This is in a dashboard, and I've got dropdowns to identify each unique LOGIN event, those are working just fine. I tried a transaction, but I think that might be the wrong tool for the job, and I'm worried I got too fixated on that and am now missing the forest for the trees. What I want is all ACTION events bounded by the selected LOGIN and the next subsequent LOGOUT. So in terms of metacode I want something along the lines of...

| search ACTION earliest=LOGIN._time latest=LOGOUT._time

Does that make sense? Am I approaching this from the wrong direction? Or is this just a bit of search code I haven't figured out?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2021 06:15 AM

Is there any attribute in the events which ties the action events to the login session they are part of?

0 Karma
Reply

DLThurston
Observer
‎02-12-2021 06:55 AM

Unfortunately no. What I'm basically attempting to do is create sessions where none exist within a text-based log that shows login/logout events, but where the actions in between are not tied to a session or to a user account. Fun, right?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-12-2021 07:07 AM 
| makeresults | eval _raw="LOGIN
ACTION (1)
ACTION (2)
LOGOUT
LOGIN
ACTION (3)
ACTION (4)
ACTION (5)
LOGOUT"
| multikv noheader=t
| fields _raw
| fields - _time
| streamstats count(eval(_raw="LOGIN")) as session
| where _raw != "LOGIN" AND _raw != "LOGOUT"
| stats values(_raw) as events by session
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...