Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Tricky latest login state question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tricky latest login state question
Hi Guys,
I'm having a bit of trouble with this. Basically I wish to show who is into this device on a dashboard and I have a great search which takes the last login state and should work. My problem is that the device logs in such a way that the last state is always 'out' and will show users being 'logged out' even if they are in fact 'logged in' as the example below states. Would there possibly be way in which my search could discount the last login state? Or perhaps do this another way, I'm open to any suggestions.
<device> (2016-01-15T10:39:04) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:39:01) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:39:00) sessiond[1627]: msg_id="3E00-0004" Management user lheath@<device> from 10.20.84.39 logged out
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:38:59) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
<device> (2016-01-15T10:38:36) sessiond[1627]: msg_id="3E00-0002" Management user lheath@<device> from 10.20.84.39 logged in
host = <device> source = udp:514 sourcetype = syslog
Any help would be massively appreciated.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi SecureIA,
Try something like this,
| stats latest(eval(if(status="loggedin",_time, null()))) as logon,
latest(eval(if(status="logout",_time, null()))) as logoff by <host, device, sessiond, msg_id>
| eval logoff=if(logoff<logon OR isnull(logoff), "Live",logoff))
| eval logon=if(isnull(logon,"Not in time Range",logon)
| eval duration=tostring(logoff-logon,"duration")
| eval logon=if(isint(logon),strftime(logon,"%+"), logon)
| eval logoff=if(isint(logoff),strftime(logoff,"%+"), logoff)
stats's by class i've mentioned some random fields, you can change based on your search. I guess remaining will help you,
Note: Assuming you have a field called status that can identify the even is logon or logoff. If not you can use the _raw to define. I prefer instead of checking raw extract a field and name it as status.
stauts="loggedin" => _raw like "%logged in%"
status="logout" => _raw like "%logged out%"
Thanks,
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From this I get an error:-
"Error in 'eval' command: The expression is malformed. Expected )."
I put in a ')' after line 4 to which I get:-
"Error in 'eval' command: The arguments to the 'isnull' function are invalid."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have updated the search. Sorry for the typo. Pls check now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how do you know when they actually logged out? Does it literally just tell you they logged out right after they logged in regardless?
-- OR -- (And I hope this is the case)
Does it do some sort of stateless re-login for each command or something?
Meaning, the process is like this?
Login (main one, actual login)
Login and nearly immediate logout (ran command X, did Y, whatever)
Login and nearly immediate logout (ran command A, did B, whatever)
Logout (main actual real logout)
In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those? Can you review the logs and see if this is the case?
It also might not hurt if you could supply the device type and [basic] version if appropriate so we can google some on how it logs, too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It basically logs in, then in again - out - in - out. Thats a single login. Also when you exit, it will send a log out.
Your assumption below is exactly right:-
"In which case you want to discard all the short, intermediate login/logout sequences and just see the big one that wraps around those?"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
