Hi All,
Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution.
https://answers.splunk.com/answers/815659/how-to-get-multiple-events-into-single-row-or-tabl.html
As i see partial logout sessions too. I need to have searchmatch either Successful logout or Partial logout should match timestamp and it should reflect in the report.
If I use asterisk "1030105*:5" it display another event country timestamp event.
103010521:5 -- Successful logout
103010502:5 -- Partial logout
103010502:5 -- resource assigned
103010009:5 -- username
103010500:5 -- country
103010506:5 -- User Agent
index=xyz hostname=device_* session_id=*
| rename COMMENT as "limit to needed fields"
| fields hostname, session_id, username, country, clientip
| rename COMMENT as "set the start and end times"
| eval session_start=if(searchmatch("103010005:5"),_time,null())
| eval session_end=if(searchmatch("103010521:5"),_time,null())
| rename COMMENT as "roll the records together"
| stats values(*) as * by hostname session_id
| rename COMMENT as "format the time fields"
| convert ctime(session_start) ctime(session_end)
| rename COMMENT as "present the results"
| table hostname, session_id, username, country, clientip, session_start, session_end
I need session end time either of the event Successful -logout or Paritial logout event. it should calculate whichever event is reflected first/last. 103010521:5 -- Successful logout / 103010502:5 -- Partial logout
... View more