Hi,
I want to show events that were executed during someone's VPN session. I can create a transaction that pulls from two sources: VPN and changes. VPN contains session times (start_time and end_time). changes contains change_time (all times are in epoch).
However I get multiple change_time values per transaction (expected behavior if people make multiple changes). I only want to show the change_time fields that are within start_time and end_time. My search requires data coming in from BOTH sources and the eventcount must be greater than 1 (1 VPN log represents both start_time and end_time).
source="changes" OR source="VPN" | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 1 |where mvcount(source)>1 | Table user, start_time, change_time, end_time, ticket_number
If I do | where change_time > start_time | nothing shows up (I think because there are multiple change_time's per transaction) but if I put | where start_time < end_time | this works perfectly.
How can I create a transaction that re-uses the VPN log but matches it separately with each change log?
source=changes contains change_time, ticket_number, ad_id
source=VPN contains start_time, end_time, citrix_user (citrix_user and ad_id hold the same values
Thanks,
Brian
... View more