Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two consecutive events and their _time fields?

PrisonMike
Explorer
‎11-21-2022 03:54 AM

 

I have a log file with events that indicate activities in a server. I am interested in the Login and Logout activities - I need to create a report of active sessions.

I managed to order the events so that I can get Login-Logout events consecutively for each user.

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 05:33 AM

Assuming your events are already sorted in chronological order (earliest first), try something like this

| streamstats global=f window=1 current=f latest(event) as previous_event latest(time) as previous_time by user
| reverse
| streamstats global=f count(eval(previous_event="Login")) as occurrence by user
| where event="Logout" and previous_event="Login"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 05:33 AM

Assuming your events are already sorted in chronological order (earliest first), try something like this

| streamstats global=f window=1 current=f latest(event) as previous_event latest(time) as previous_time by user
| reverse
| streamstats global=f count(eval(previous_event="Login")) as occurrence by user
| where event="Logout" and previous_event="Login"
0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 06:10 AM

I don't really understand what we need the occurrence for?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 06:14 AM

Strictly speaking you don't if you just want the times - I have used occurrence in some of my solutions to "tag" the correlated events

0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 06:23 AM

Got it

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 06:27 AM

_time is a bunch of numbers too - it is just auto-formatted when you display it! If you want to display latest(_time) as a datetime string, use either fieldformat or eval with the strftime() function

0 Karma
Reply
Solved! Jump to solution

PrisonMike
Explorer
‎11-21-2022 07:42 AM

Okay the solution works perfectly except for the part where i have to include even "half-sessions" where i only have the login or logout event within my time frame. In such case it would be something like 

 

      Login Time       |   User  |     Logout Time    

             null               | user1 |   yy-mm-dd h:m:s

yy-mm-dd h:m:s   | user2 |          null

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2022 08:39 AM 
| eval start=if(event="Login",time,null())
| eval end=if(event="Logout",time,null())
| streamstats global=f count(eval(event="Login")) as session by user
| stats values(start) as start values(end) as end by user session
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...