Splunk Search

How to track transaction with multiple indexes with different fields?

Loves-to-Learn Everything

Hello everyone. I am trying to track office and remote logins using multiple indexes with the transaction command. One of the logs has a session id so I am able to use a transaction command to track that but it's the second piece that is difficult. The other index does not have a session id and the only thing that is similar is the username field. For remote logins, if a user signs into the remote desktop app, it will generate an authentication event along with a session id. The other index will also generate a login event. The authentication event and login event are at most a second apart, but in most circumstances are at the same exact time. If a user were to login from the office, only a login event is captured. My query is as follows but there are some issues to the results I am seeing.


(index=connection_log username="user" message="logged in") OR (index=remote_app username="user" action=auth OR action=terminateSession)
| transaction username maxspan=2s keeporphans=true
| transaction session_id startswith=auth endswith=terminateSession


I've tried using subsearches as well but am unable to get the desired results. Wondering if anyone else has tried to do something similar. Your help would be appreciated.


Thank you

Labels (1)
Tags (1)
0 Karma

Esteemed Legend

Hi @jkang117,

lete me understand: you want to find if a user uses in the same time period (2 seconds) both local and remote access that are in different indexes and the only common field is username, is it correct?

If this is your need, you should try a different approach using sìa streming command as stats or timechart:

so see my approach and adapt it to your need:

(index=connection_log username="user" message="logged in") OR (index=remote_app username="user" (action=auth OR action=terminateSession))
| timechart span=2s dc(index) AS index_count BY username
| where index_count>1

The transaction command can be used only if you haven't any other solution because it's a very slow command, and using two transaction commands, as you search, you can run a search and then go to take a coffe waiting for the answer!

I don't know if my search is exactly what you're searching, but analyze my approach and try to use it.



0 Karma

Loves-to-Learn Everything

Hi @gcusello,

So to explain, the connection log shows that a user logged in regardless of whether or not the user is coming in remotely or locally at the office. The way to determine if a user is logging in remotely, a user will sign into the remote application and it will generate a login event on the connection at most within 2 seconds. If they are logging from the office, there will only be a login event from the connection log. The issue I am running into is, there are times users might login multiple times within the same session and I'm having difficulty accounting for those logins.

0 Karma


If a user logged in from the office, how would you tell if/when they logged off or offline?

0 Karma

Loves-to-Learn Everything

There isn't a way to really track that in the logs. What I can definitively track are remote login sessions since there is a session id associated to it.

0 Karma
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...