Splunk Search

How to search for group user activities based on Login Logout time?

neerajs_81
Builder

Gentlemen

My raw events have a field called login_time which has values of format ( 2022-04-11 10:52:08 ) .  This is the time an user logs in to the system.  There is no logout_time field in raw data.  Now, the requirement is to track all activities done by the user starting from login_time and ending with login_time + 8 hours. 

1)   How do i add this 8 hours to the login_time in my search ? Do i create an eval function something like eval logout_time = login time + 8:00:00 ? 
2) Transaction works with strings in startswith and endswith.  Can it be used to track time which is in  numerical format  as  shown in below query ?    If not, how else to group all events done by the user within the login and logout time ?

 

 

 

 

index=xxxx
transaction startswith ="2022-04-11 10:52:08" endswith="2022-04-11 10:52:08 + 8 hrs"
| stats .... by user

 

 

 

 

Hope i am clear

Labels (2)
Tags (2)
0 Karma
1 Solution

sperkins
Path Finder

You could do
| transaction user startswith=(login_time=* ) maxspan=8h

 

This will group events by the user, where the first event starts with login_time and it won't go more than eight hours. That way it can start with the time of login. 

Unless you want it to start from a certain time. In which case the string time value makes sense. 

View solution in original post

sperkins
Path Finder

You can use fields to group transactions together. So group it by the user field and use the maxspan time to make sure the first activities and last are no more than 8 hours apart. 

| transaction user maxspan=8h

0 Karma

neerajs_81
Builder

if i use | transaction user maxspan=8h ,  how can i tell Splunk where to start from ?  Any way to tell it to do something like this ?  

 

 | transactions startswith="2022-04-11 08:00:00"  maxspan=8h

 

Though in this case it will end up considering the timestamp mentioned above ,  as a string and so won't be able to add 8hours to it, and eventually the maxspan=8h  will fail.

0 Karma

sperkins
Path Finder

You could do
| transaction user startswith=(login_time=* ) maxspan=8h

 

This will group events by the user, where the first event starts with login_time and it won't go more than eight hours. That way it can start with the time of login. 

Unless you want it to start from a certain time. In which case the string time value makes sense. 

sperkins
Path Finder

try:

| eval Epoch_login =strptime(login_time,”%Y-%m-%d %H:%M:%S”)
| eval log_out = relative_time(Epoch_login,"+8h")
Use %I instead of %H, if it isn't in 24 hour time format, but in 12 hour.  

To use relative_time the time has to be in Epoch which is why I converted it first. Then added 8 hours to the epoch time to give you the log_out time

https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#relative_time...

neerajs_81
Builder

@sperkins If i use these 2 evals, i see the value of eval is in Unix time.  So, will something like this work to get me all the activities performed by the user in that interval  ?

 | where _time > Epoch_login and _time < = log_out

 

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Try and see, as a colleague of mine in previous workplace used to say 😉

But no, it won't be that simple. If you dom those evals you'll have the logout time in the login event. The search command doesn't know about this value. You'd need to either distribute it to the events as an additional fields with eventstats/streamstats to then  filter on a condition similar to that you just wrote. Or you can use transaction, as someone already showed.

One caveat though - what will happen if someone logs in twice during thkse 8 hours? And what would you like to get as a result in this case?

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...