Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to search events with a common value

andreac81
Explorer
‎06-20-2017 09:11 AM

Hi to all,

I need to find if a user performs a login and a logout in 15 seconds performed by the same user (same cookie value)

I set this search

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s

It returns only action login or logout but not with the same cookie and not in the last 15 seconds.
Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16

View solution in original post

Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 01:27 PM

I better tested the search
tag=access_logs action=login OR action=logout
| stats latest(_time) as latest earliest(_time) as earliest by cookie
| eval session_time=latest-earliest
| where session_time<16
but it returns the session time of the single action (i.e. session time of login), instead I need the session time beetween login and logout, how can I modify the search?
Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 01:48 AM

It\s hard without seeing your data. The search should be calculating the difference between the _time value of the login event and the _time value of the logout event. Is that what you mean by session time? Or are you referring to something else.

0 Karma
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-22-2017 01:51 AM

It's correct " The search should be calculating the difference between the _time value of the login event and the _time value of the logout event for events with same cookie"

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-22-2017 05:13 AM

Yes so that it what my search will calculate. When you say "but it returns the session time of the single action " what value do you actually see?

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-20-2017 09:26 AM

If all events cntain the cookie field you can use stats. Something like this might work: 

tag=access_logs action=login OR action=logout 
| stats latest(_time) as latest earliest(_time) as earliest by cookie 
| eval session_time=latest-earliest 
| where session_time<16
Reply
Solved! Jump to solution

andreac81
Explorer
‎06-21-2017 02:09 AM

Thanks a lot.
How should I change the search in order to find events in last 15 minutes instead of last 15 seconds?

Thanks,
Andrea

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎06-21-2017 04:09 AM

Assuming I have understood you correctly, session_time<901 (ie 15 minutes and 1 second)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-20-2017 09:24 AM

Give this a try

tag=access_logs action=login OR action=logout | transaction cookie maxspan=15s startswith=action=login endswith=action=logout keeporphan=f
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...