×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
lassesen
Explorer
Member since: ‎01-14-2014
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎01-14-2014
Activity Feed
View All

Re: I am logged in but get challenged for credenti...

by Splunk Employee in Security
‎01-13-2015 11:39 AM
‎01-13-2015 11:39 AM
Links are all fixed now, thank you for pointing that out, and our apologies! ... View more

Re: Query to detect "lost sessions" on IIS Server

by in Getting Data In
‎01-14-2014 07:04 PM
‎01-14-2014 07:04 PM
I appreciate the TSQL, but it actually doesn't help me. You are using record names and fields, but not all of them are defined in your post. I'll propose some ideas here anyway... sourcetype=iis OR whateverFindsTheEventsWithMissingUserNames | eval MissingDatetime=_time | fields session MissingDatetime | join session [ search sourcetype=iis OR whateverFindsALLTheEventsThatShouldHaveUserNames ] | sort session _time This should give you the sessions where at least one event is missing its user name. To reduce it further, you could add this at the end | eval secondsDiff = MissingDatetime - _time | where secondsDiff >= 0 AND secondsDiff <= 1200 This would list all the events that were within the 20 minutes prior to the missing user name event. If this answer doesn't help, can you show a few lines of sample data? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All