beginning of your search and transaction | eval Login_Time=_time | eval Logout_Time=_time + duration |.
This gives you a per-transaction Login_Time and Logout_Time. You can eval the end time to be _time + duration. The transaction command automatically assigns a duration field to each transaction.
The time of the first event in the transaction is assigned to _time for the entire transaction. There are a few ways to do this, here are a couple that come to mind: However, do I put these two together to have both? Ideally, I would ask that Splunk add the fields _transaction_start_time and _transaction_end_time to the function, but that might be asking too much. I know that I could use the stats command to get the Earliest and Latest times, but I need the other fields in the output, so I need a transaction and that would get me: index=infrastructure sourcetype=syslog Session_Number="*" | stats earliest(_time) AS Login_Time, latest(_time) AS Logout_Time by Session_Number | convert ctime(Login_Time) ctime(Logout_Time) However, I then want to use the Internal IP Address and start (logged in) and end (logged out) times and then use the data in a subsearch against other logs. Here is my search string, as is: index=infrastructure sourcetype=syslog Session_Number="*" | transaction Session_Number | fields Outside_IP, Client_Inside_IP, login_username I have already determined how I can get the identifying marks for the start and end events, the IP Addresses (all in different events - thank you) and I have created a transaction to group them together. I am setting up a report of Username, Logged in time, Logged out time, Internal and External IP Addresses from a VPN node log.
0 kommentar(er)
