Re: Questions regarding the transaction command

dpatnam · ‎07-08-2011

Hello,

We have a set of log events consisting of user activity by a number of different users in an application. We are trying to construct a search that will returns only those usernames that have been active in the logs (that is log events with that username present) for more that 4 hours but did not take a break of at least 15 minutes (i.e. no activity in the logs for at least 15 minutes). I tried using the transaction command like the one shown below but it does not appear to be working. Any advise on how to accomplish this would be greatly appreciated.

sourcetype=app_sourcetype | transaction username maxspan>240m maxpause<15m

Thanks in advance.

Johnvey · ‎07-08-2011

Is the search you pasted correct? The arguments to transaction do not take inequalities -- it should be something like maxspan=240m and maxpause=15m, not with > or <.

dpatnam · ‎07-08-2011

I tried this search to get a list of all the users that were active in the logs for more than 4 hours (14400 seconds) during a day but I am not sure how I can then use this data to determine those users from this list that had maximum pauses in the logs for less than 15 minutes (did not take a break of 15 minutes or more)

sourcetype=app_sourcetype | stats range(_time) as difference by username | where difference > 14400

Questions regarding the transaction command

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!