Splunk Search

How to configure transaction

lain179
Communicator

I have user login/out logs to parse. The goal is to get the information on

  • Active sessions (i.e. no logout time) by server
  • Total logins over certain period of time by server
  • Login duration by server

The log files look like

2012-11-08 16:20:02 Start login for user 'ABCDEFG', profile: 'default', session: 'SESSION68811278'.  SERVERNAME

2012-11-08 16:29:10 Log out session 'SESSION68811278'. SERVERNAME

How do I set up transactions for them? Please don't just give me a link to read because I have already read it and I don't get it.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Searchfortransactions

Thanks.

Tags (1)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

lain179
Communicator

Hmm....I didn't think the video would have helped, but it did 🙂

I got the idea on how to apply to my usage now. Thank you.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Ok. I think this video (5 mins) will help. It's a different use case but you'll see exactly what it does, how the data will look and why. Let me know your thoughts.

http://www.splunk.com/view/SP-CAAAG9X

0 Karma

lain179
Communicator

Hi, thanks for responding.

I have already set up field extraction. LoginDate, LogoutDate, UserID, Profile, UserSession, and ServerName. I know how to get what I need using stats and chart, but I want to learn about transaction.

I still don't get your example of

| transaction session

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...