Solved: Re: How to get time duration between two events IN...

InkerzBrad · ‎09-30-2015

Basically what the log looks like is as below:

User log in---
some trivial events---
User start a action ----
some trivial events---
User end a action ----
some trivial events---
User log out---

I managed to use transaction to extract the events between user log in and user log out, but what I need is to get the start time and end time of this action and the time duration between start and end.

Any help would be appreciated...

somesoni2 · ‎09-30-2015

Well give this a try. Assuming you can extract the action performed by the events into a field (e.g. user_auth, user_action_start, user_action_end, user_signoff

* | rex "\suser_(?<Action>\w+)" | eval temp=mvzip(Action,"_time","#") | transaction Session connectionID startswith="user_auth" endswith="user_signoff"  | eval start=mvfilter(match(temp,"action_start")) | eval end=mvfilter(match(temp,"action_end")) | eval actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1)

View solution in original post

somesoni2 · ‎09-30-2015

Well give this a try. Assuming you can extract the action performed by the events into a field (e.g. user_auth, user_action_start, user_action_end, user_signoff

* | rex "\suser_(?<Action>\w+)" | eval temp=mvzip(Action,"_time","#") | transaction Session connectionID startswith="user_auth" endswith="user_signoff"  | eval start=mvfilter(match(temp,"action_start")) | eval end=mvfilter(match(temp,"action_end")) | eval actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1)

InkerzBrad · ‎09-30-2015

Thanks, in the last statement which is actionDuration=mvindex(split(end,"#"),1)-mvindex(split(start,"#"),1), it says '-' only takes number, which _time is apparently not. How could I solve it?

InkerzBrad · ‎09-30-2015

It does the job!!

somesoni2 · ‎10-01-2015

The mvindex is returning string, so need to convert to number. Try this

....| eval actionDuration=tonumber(mvindex(split(end,"#"),1))-tonumber(mvindex(split(start,"#"),1))

woodcock · ‎09-30-2015

The transaction command creates a field called duration whose value is the difference between the timestamps for the first and last events in the transaction.

InkerzBrad · ‎09-30-2015

Thanks, but I need the timestamps difference between two events that inside the transaction, not the first or the last. Any way I could do that?

woodcock · ‎09-30-2015

Why not adjust the transaction to start and end with the events that you need for it to? Then you can use duration.

InkerzBrad · ‎09-30-2015

because I need to make sure it happens inside the user's login session so that I can know some much time one user spent on this action.

Or maybe there's another way?

somesoni2 · ‎09-30-2015

Can you provide some sample logs and current query?

InkerzBrad · ‎09-30-2015

Yeah sure:
the log is like:

SessionID ConnectionID (both are fields extracted) ..user_auth..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_start..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_action_end..(plaint text inside log)
SessionID ConnectionID (both are fields extracted) ..user_signoff..(plaint text inside log)

and my current query is
*| transaction Session connectionID startswith="user_auth" endswith="user_signoff"

How to get time duration between two events INSIDE a transaction?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?