Splunk Search

How to get "duration" without use transaction

pisc
Explorer

transaction関数を使用すれば、グルーピングしたログの間隔(duration)を取得出来ますが、transactionを使用しない場合のduration取得方法をご教授頂けますでしょうか。

下記のログを用いてPCの操作時間のユーザごとの総計を取得したいと思っています。

user01の場合は23:00~23:30で使用時間が30minになりますが、user02の場合、Startの次はuser03によるPC02の使用ということで、23:10~23:35で25minになります。

transactionを使用し、startswith=Start、endswith=Endとした場合は、上記のuser02のEndがない為、グルーピングがうまくいきません。

この場合のdurationの取得方法、またはtransactionをうまく活用できないか、ご教授頂けますでしょうか。

DATE | ID | HOSTNAME | STATUS

14/05/31 23:00 | user01 | PC01 | Start

14/05/31 23:10 | user02 | PC02 | Start

14/05/31 23:30 | user01 | PC01 | End

14/05/31 23:35 | user03 | PC02 | Start

14/05/31 23:50 | user03 | PC02 | End


以下、情報が不足してましたので追記します。

STATUSカラムには「Timeout」というログが存在します。

DATE | ID | HOSTNAME | STATUS

14/05/31 23:35 | user03 | PC02 | Start

14/05/31 23:50 | | PC02 | Timeout

14/05/31 23:55 | user04 | PC02 | Start

14/05/31 23:59 | user04 | PC02 | End

Timeoutログがある場合は、IDは空欄です。
この場合、user03は23:35~23:50の使用時間になります。

こういったログを1か月分集計し、HOSTNAMEごとの使用時間、IDごとの使用時間を集計したいと考えています。

Tags (2)
0 Karma

MuS
Legend

Hi pisc,

you can use streamstats like this:

yourBaseSearchHere 
| streamstats current=false last(STATUS) as last_status last(_time) as time_of_change by ID
| where STATUS!=last_status 
| eval duration=now()-time_of_change 
| eval duration=strftime(duration, "%H:%M") 
| table _time, HOSTNAME, ID, duration

this is un-tested since I'm missing the real events, so maybe you will need to adapt some things to match your needs.

hope this helps ...

cheers, MuS

MuS
Legend

try something like this:

yourBaseSearchHere 
| streamstats current=false last(STATUS) as last_status last(_time) as time_of_change by HOSTNAME
| where STATUS="Start" ( last_status="Timeout" OR last_status="End" )
| eval duration=now()-time_of_change 
| eval duration=strftime(duration, "%H:%M") 
| table _time, HOSTNAME, ID, duration

this will group your events by HOSTNAME and calculates the duration. The table will display the date, HOSTNAME, ID (if available) and the duration.

hope this make sense

0 Karma

pisc
Explorer

Thank you for your comments.
..Sorry for not explaining enough.

"STATUS" column is included "Timeout" log.

DATE | ID | HOSTNAME | STATUS
14/05/31 23:35 | user03 | PC02 | Start
14/05/31 23:50 | | PC02 | Timeout
14/05/31 23:55 | user04 | PC02 | Start
14/05/31 23:59 | user04 | PC02 | End

ID is not included in the log "Timeout".

in this case, the use of time user03, until 23:50 there is a Timeout log from "STRAT" 23:35.

I want to measure the PC usage time of each user in this case.

I'm sorry for my clumsy English.
It would be extremely helpful if you could tell me that.

pisc

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...