Using transaction I have grouped together events for same users.
There are two types of event.
1. Send SMS to user.
2. Log in with this user.
It looks like this:
Jan 22 11:52:15 172.30.112.1 PORTAL: SMS sent to 91813504. Jan 22 11:54:11 172.30.112.1 AAA: 172.30.44.246 logged in with username 91813504 Jan 22 11:52:04 172.30.112.1 PORTAL: SMS sent to 91300083. Jan 22 11:53:36 172.30.112.1 AAA: 172.30.53.83 logged in with username 91300083 Jan 22 11:51:10 172.30.112.1 PORTAL: SMS sent to 41237212. Jan 22 11:51:50 172.30.112.1 AAA: 172.30.40.116 logged in with username 41237212 Jan 22 12:01:37 172.30.112.1 AAA: 172.30.40.113 logged in with username 41237212
Some user logs inn several times.
I do like to calculate the time from sent SMS to the first log in.
Result I need is some like this:
91813504 00:01:56 91300083 00:01:32 41237212 00:00:40
Then I can graph the duration over time and see if there are some wrong with the SMS sent to the user.
How to do this?
Maybe I do not need it use Transaction, but it gives me a visual view of events that belongs to same user.
You are correct about using
transaction.. Add this at the end of your search
... | timechart avg(duration)
Duration is a Splunk keyword which will find the difference between the timestamps
Thanks. This was very close to what I need. Problem is where user has logged inn more than once with same username. avg(duration) gives the time between the first and last event. I need the time between first event and second event. Or to be more specific, time between last received SMS and first login after it. A user may request as many SMS he likes, so he can request two SMS and then login using information on last SMS.
I would recommend you to use "transaction" command to calculate duration.
transaction startswith="PORTAL: SMS sent to" endswith="logged in with username" |concurrency duration=duration
Then you can classify the duration by phone numbers and IP address if you need.
Hope it is ok.
This does not work since one user may log inn between another user sends SMS and logs inn. transaction startswith="PORTAL: SMS sent to" endswith="logged in with username" This mixes user together.
Since majority av the users only have one SMS and one login, and the transaction need to contain both, I just use eventcount=2 in search after the transaction. This way I ignore all other and get a correct view. Thanks.