Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to search events with a common value

andreac81
Explorer
‎06-20-2017 09:11 AM

Hi to all,

I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)

I set this search

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s

It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

View solution in original post

Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 01:27 PM

I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 01:48 AM

It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.

0 Karma
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-22-2017 01:51 AM

It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 05:13 AM

Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 02:09 AM

Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?

Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-21-2017 04:09 AM

Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-20-2017 09:24 AM

Give this a try

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...