- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Has Splunk got a good memory ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to identify the difference between two events, for instance :
Event 1 : user=jdoe message="session timed out"
Event 2 : user=jdoe message="logged in"
Problem is : i have to keep the user parameter saved somehow.
Two options would work for me, either finding out what's the time difference between these events or knowing if event 2 happens less than x minutes after event 1.
I've tried using delta and transaction but it's not working correctly ...
Thanks in advance for your help.
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a blog post I wrote about maintaining state with lookups:
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's been a while sorry, here's all i could come up with :
sourcetype=xxx msg="primary authentication successful" OR msg="session timed out" | transaction user startswith="session timed out" endswith="primary authentication successful" maxspan=5m | search msg="session timed out"
Seems to work pretty well.
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a blog post I wrote about maintaining state with lookups:
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also think that the transaction command could help you, I haven't tried the search below but the idea is to get all users that log back in into a transaction and then just search for the unclosed transactions. You should then be left with logins and session timeouts that are not related.
message="logged in" OR message="session timed out" | transaction user maxspan=<x min> maxpause=<x min> startswith="session timed out" endswith="logged in" keepevicted=true | search closed_txn=0
You probably just want the users in the session timed out messages.
message="logged in" OR message="session timed out" | transaction user maxspan=<x min> maxpause=<x min> startswith="session timed out" endswith="logged in" keepevicted=true | search closed_txn=0 message="session timed out" | top user
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any ideas here ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there and thanks a lot for this answer. I've tried that but removed keepevicted=true. If i leave ' search closed_txn=0 message="session timed out" ' i've got no results. If i remove it, i've got the events i'm looking for but it seems like the maxspan is not taken into account. No matter what time value i put, it's not filtering anything.
Here's my search :
sourcetype="xxxxxx" msg="login succeeded" OR msg="Session timed out" | transaction user startswith="Session timed out" endswith="login succeeded" maxspan=5min maxpause=1min (| search closed_txn=0 msg="Session timed out")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think transaction is the correct direction.
What I would suggest that you look for is a transaction that has a message [list] that has more than one "log in" and a "time out".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the unclear explanation. In the end, the goal is to know whether or not my users log back in (event : jdoe logged in) when their session time out (event : jdoe's session timed out). The idea is to identify the users who do not log out when they leave my application and that's not good because they leave idle sessions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you'll need to state your problem more clearly. In what way do you need to 'save' the user parameter? How are you planning to use this search? Should it be user-independent and used in a search form somehow where Splunk users can specify the value for this field?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
