Hi, I am quite new to splunk.
I have been working with the log like below.
2016/3/18 10:00:00 user=userA Action=Connect group=router
2016/3/18 10:01:00 user=userB Action=Connect group=router
2016/3/18 10:02:00 username=admin Action=Login group=server
2016/3/18 10:03:00 user=userC Action=Connect group=router
2016/3/18 11:00:00 user=userA Action=Disconnect group=router
2016/3/18 11:01:00 user=userB Action=Disconnect group=router
2016/3/18 11:02:00 user=userC Action=Disconnect group=router
The group named router and server is a log from different equipments, but is in a same syslog.
In our system, some user login to a router then ssh to a server, use username admin to login to a server.
I am wondering if I can see the all possible combinations by using transaction command to find out which user is a possible user to login to the server.
In this case, a possible user will be userA and userB.
I tried like
* | transaction startswith="Connect" endswith="Disconnect"
| search admin
it only shows one group.
It doesn't have to be transaction to solve this.
Thanks,
... View more