Hi to all,
I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)
I set this search
tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s
It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks
If all events cntain the cookie field you can use stats. Something like this might work:
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea
It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.
It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"
Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?
If all events cntain the cookie field you can use stats. Something like this might work:
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?
Thanks,
Andrea
Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)
Give this a try
tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f