Splunk Search

How to calculate length of session

crobicha
Explorer

I have ssh events in the following log format:

sshd[31922]: pam_unix(sshd:session): session closed for user root

sshd[31922]: pam_unix(sshd:session): session opened for user root by (uid=0)

sshd[30954]: pam_unix(sshd:session): session closed for user root

sshd[30954]: pam_unix(sshd:session): session opened for user root by (uid=0)
...

How difficult would it be to generate a report each week that lists each session and its length?

It seems like I need to do something similar to this thread (http://splunk-base.splunk.com/answers/4886/eval-time-between-events-for-transaction-by-group), but I'm not sure exactly how I would apply this to my situation - how do I ensure that the proper session open and close events are correlated?

Tags (3)
0 Karma
1 Solution

Ayn
Legend

Looking at the question you linked to, that one covers how to calculate the time between sessions whereas in your case you need to calculate the time within the session. This should be pretty easy to achieve by creating a transaction based on the pid. Assuming you have the pid extracted into a field with the same name, just do

... | transaction pid startswith="session opened" endswith="session closed"

When the transaction command creates transactions, it always outputs a field for each transaction called "duration", which is exactly what it sounds like - the duration of the transaction, in seconds. So to get a table of all sessions and their lengths, do something like this (assuming you have the user extracted into a field called "user"):

... | transaction pid startswith="session opened" endswith="session closed" | table _time user duration

View solution in original post

Ayn
Legend

Looking at the question you linked to, that one covers how to calculate the time between sessions whereas in your case you need to calculate the time within the session. This should be pretty easy to achieve by creating a transaction based on the pid. Assuming you have the pid extracted into a field with the same name, just do

... | transaction pid startswith="session opened" endswith="session closed"

When the transaction command creates transactions, it always outputs a field for each transaction called "duration", which is exactly what it sounds like - the duration of the transaction, in seconds. So to get a table of all sessions and their lengths, do something like this (assuming you have the user extracted into a field called "user"):

... | transaction pid startswith="session opened" endswith="session closed" | table _time user duration

crobicha
Explorer

Thanks Ayn, that's exactly what I needed!

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...