Splunk Search

how to search events with a common value

andreac81
Explorer

Hi to all,

I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)

I set this search

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s

It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks

0 Karma
1 Solution

jplumsdaine22
Influencer

If all events cntain the cookie field you can use stats. Something like this might work:

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

View solution in original post

andreac81
Explorer

I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea

0 Karma

jplumsdaine22
Influencer

It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.

0 Karma

andreac81
Explorer

It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"

0 Karma

jplumsdaine22
Influencer

Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?

0 Karma

jplumsdaine22
Influencer

If all events cntain the cookie field you can use stats. Something like this might work:

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

andreac81
Explorer

Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?

Thanks,
Andrea

0 Karma

jplumsdaine22
Influencer

Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)

0 Karma

somesoni2
Revered Legend

Give this a try

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...