Gentlemen
My raw events have a field called login_time which has values of format ( 2022-04-11 10:52:08 ) . This is the time an user logs in to the system. There is no logout_time field in raw data. Now, the requirement is to track all activities done by the user starting from login_time and ending with login_time + 8 hours.
1) How do i add this 8 hours to the login_time in my search ? Do i create an eval function something like eval logout_time = login time + 8:00:00 ?
2) Transaction works with strings in startswith and endswith. Can it be used to track time which is in numerical format as shown in below query ? If not, how else to group all events done by the user within the login and logout time ?
index=xxxx
transaction startswith ="2022-04-11 10:52:08" endswith="2022-04-11 10:52:08 + 8 hrs"
| stats .... by user
Hope i am clear
You could do
| transaction user startswith=(login_time=* ) maxspan=8h
This will group events by the user, where the first event starts with login_time and it won't go more than eight hours. That way it can start with the time of login.
Unless you want it to start from a certain time. In which case the string time value makes sense.
You can use fields to group transactions together. So group it by the user field and use the maxspan time to make sure the first activities and last are no more than 8 hours apart.
| transaction user maxspan=8h
if i use | transaction user maxspan=8h , how can i tell Splunk where to start from ? Any way to tell it to do something like this ?
| transactions startswith="2022-04-11 08:00:00" maxspan=8h
Though in this case it will end up considering the timestamp mentioned above , as a string and so won't be able to add 8hours to it, and eventually the maxspan=8h will fail.
You could do
| transaction user startswith=(login_time=* ) maxspan=8h
This will group events by the user, where the first event starts with login_time and it won't go more than eight hours. That way it can start with the time of login.
Unless you want it to start from a certain time. In which case the string time value makes sense.
try:
To use relative_time the time has to be in Epoch which is why I converted it first. Then added 8 hours to the epoch time to give you the log_out time
Try and see, as a colleague of mine in previous workplace used to say 😉
But no, it won't be that simple. If you dom those evals you'll have the logout time in the login event. The search command doesn't know about this value. You'd need to either distribute it to the events as an additional fields with eventstats/streamstats to then filter on a condition similar to that you just wrote. Or you can use transaction, as someone already showed.
One caveat though - what will happen if someone logs in twice during thkse 8 hours? And what would you like to get as a result in this case?