Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to join two consecutive events and their _time fields?

PrisonMike
Explorer
‎11-21-2022 03:54 AM

 

I have a log file with events that indicate activities in a server. I am interested in the Login and Logout activities - I need to create a report of active sessions.

I managed to order the events so that I can get Login-Logout events consecutively for each user.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 05:33 AM

Assuming your events are already sorted in chronological order (earliest first), try something like this

| streamstats global=f window=1 current=f latest(event) as previous_event latest(time) as previous_time by user
| reverse
| streamstats global=f count(eval(previous_event="Login")) as occurrence by user
| where event="Logout" and previous_event="Login"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 05:33 AM

Assuming your events are already sorted in chronological order (earliest first), try something like this

| streamstats global=f window=1 current=f latest(event) as previous_event latest(time) as previous_time by user
| reverse
| streamstats global=f count(eval(previous_event="Login")) as occurrence by user
| where event="Logout" and previous_event="Login"
0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 06:10 AM

I don't really understand what we need the occurrence for?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 06:14 AM

Strictly speaking you don't if you just want the times - I have used occurrence in some of my solutions to "tag" the correlated events

0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 06:23 AM

Got it

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 06:27 AM

_time is a bunch of numbers too - it is just auto-formatted when you display it! If you want to display latest(_time) as a datetime string, use either fieldformat or eval with the strftime() function

0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 07:42 AM

Okay the solution works perfectly except for the part where i have to include even "half-sessions" where i only have the login or logout event within my time frame. In such case it would be something like 

 

      Login Time       |   User  |     Logout Time    

             null               | user1 |   yy-mm-dd h:m:s

yy-mm-dd h:m:s   | user2 |          null

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 08:39 AM 
| eval start=if(event="Login",time,null())
| eval end=if(event="Logout",time,null())
| streamstats global=f count(eval(event="Login")) as session by user
| stats values(start) as start values(end) as end by user session
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...