Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding time between two events.

lakromani
Builder
‎01-22-2016 03:16 AM

Using transaction I have grouped together events for same users.
There are two types of event.
1. Send SMS to user.
2. Log in with this user.

It looks like this:

Jan 22 11:52:15 172.30.112.1 PORTAL: SMS sent to 91813504.
Jan 22 11:54:11 172.30.112.1 AAA: 172.30.44.246 logged in with username 91813504

Jan 22 11:52:04 172.30.112.1 PORTAL: SMS sent to 91300083.
Jan 22 11:53:36 172.30.112.1 AAA: 172.30.53.83 logged in with username 91300083

Jan 22 11:51:10 172.30.112.1 PORTAL: SMS sent to 41237212.
Jan 22 11:51:50 172.30.112.1 AAA: 172.30.40.116 logged in with username 41237212
Jan 22 12:01:37 172.30.112.1 AAA: 172.30.40.113 logged in with username 41237212

Some user logs inn several times.

I do like to calculate the time from sent SMS to the first log in.
Result I need is some like this:

91813504 00:01:56
91300083 00:01:32
41237212 00:00:40

Then I can graph the duration over time and see if there are some wrong with the SMS sent to the user.
How to do this?

Maybe I do not need it use Transaction, but it gives me a visual view of events that belongs to same user.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-22-2016 03:23 AM

You are correct about using transaction.. Add this at the end of your search 

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎01-22-2016 03:23 AM

You are correct about using transaction.. Add this at the end of your search 

... | timechart avg(duration)

Duration is a Splunk keyword which will find the difference between the timestamps

Reply
Solved! Jump to solution

lakromani
Builder
‎01-22-2016 03:42 AM

Thanks. This was very close to what I need. Problem is where user has logged inn more than once with same username. avg(duration) gives the time between the first and last event. I need the time between first event and second event. Or to be more specific, time between last received SMS and first login after it. A user may request as many SMS he likes, so he can request two SMS and then login using information on last SMS.

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎01-22-2016 03:49 AM

Since majority av the users only have one SMS and one login, and the transaction need to contain both, I just use eventcount=2 in search after the transaction. This way I ignore all other and get a correct view. Thanks.

0 Karma
Reply
Solved! Jump to solution

gyarici
Path Finder
‎01-22-2016 03:49 AM

Hi,

I would recommend you to use "transaction" command to calculate duration.

transaction startswith="PORTAL: SMS sent to"   endswith="logged in with username" |concurrency duration=duration

Then you can classify the duration by phone numbers and IP address if you need.

Hope it is ok.

Thanks

Gokhan

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎01-25-2016 11:19 AM

This does not work since one user may log inn between another user sends SMS and logs inn. transaction startswith="PORTAL: SMS sent to" endswith="logged in with username" This mixes user together.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top