Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 yea...
See more...
Hi @Labuser43 , at first Splunk isn't a database so you don't need an inner join to extract some data like the ones you want, forget all you know about databases and reset your mind (I did it 13 years ago!). You have to correlate different events to extract e.g. the timestamps of logins and logouts and find the duration of a transaction. So please, see my approach and adapt it to your requirements: index=allsessions ("*login*" OR "*logout*")
| stats
earliest(eval(if(searchmatch("*login*"),_time,"") AS earliest
latest(eval(if(searchmatch("*logout*"),_time,"") AS latest
BY SESSION.ID
| eval
earliest=strgtime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strgtime(latiest,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe