Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to look for sessions with login and logout requests

Labuser43
Engager
‎10-14-2024 08:29 PM

Hello,

I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID values where within the session the user performs a login and logout operation. Coming from the relational database world, my first step was to write some sort of join operation but I quickly found out that joins are not the best thing to do in Splunk. 

This is what I tried:

 

index=allsessions "*login*" | join type=inner left=L right=R where L.SESSION_ID=R.SESSION_ID [search index=allsessions "*logout*"]

 

Can someone help me write a better query for the above problem? Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 11:26 PM

Hi @Labuser43 ,

at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 years ago!).

You have to correlate different events to extract e.g. the timestamps of logins and logouts and find the duration of a transaction.

So please, see my approach and adapt it to your requirements:

index=allsessions ("*login*" OR "*logout*")
| stats
    earliest(eval(if(searchmatch("*login*"),_time,"") AS earliest
    latest(eval(if(searchmatch("*logout*"),_time,"") AS latest
    BY SESSION.ID
| eval
    earliest=strgtime(earliest,"%Y-%m-%d %H:%M:%S"),
    latest=strgtime(latiest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 11:26 PM

Hi @Labuser43 ,

at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 years ago!).

You have to correlate different events to extract e.g. the timestamps of logins and logouts and find the duration of a transaction.

So please, see my approach and adapt it to your requirements:

index=allsessions ("*login*" OR "*logout*")
| stats
    earliest(eval(if(searchmatch("*login*"),_time,"") AS earliest
    latest(eval(if(searchmatch("*logout*"),_time,"") AS latest
    BY SESSION.ID
| eval
    earliest=strgtime(earliest,"%Y-%m-%d %H:%M:%S"),
    latest=strgtime(latiest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-14-2024 08:45 PM

Hi @Labuser43 

if i understand your requirement correctly, you may not need the join at all. simply try the OR option:

index=allsessions "*login*" OR "*logout*"

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

Labuser43
Engager
‎10-14-2024 10:05 PM

@inventsekar my requirement is to get SESSION_IDs where both login AND logout occur in that session. To explain more, let's use an example of a session that would fit this criteria:

 

OPERATION   SESSION_ID

login       1234

add_to_cart 1234

checkout    1234

logout      1234

 

If I use OR, I think it may return a session that only has login or logout.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-14-2024 10:16 PM

Sure @Labuser43 , got it now.. pls try this inner join (or if you want to test other two joins, "type=left" or "type=outer")

 

 

index=allsessions "*login*" | join type=inner SESSION_ID [search index=allsessions "*logout*"]

 

 


still, the join can be avoided i feel. maybe pls check:
EDIT - included the OR portion

 

index=allsessions "*login*" OR "*logout*" | stats list(OPERATION) by SESSION_ID

OR

index=allsessions "*login*" OR "*logout*"| stats values(OPERATION) by SESSION_ID

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...