Dear All,
I am setting up a report of Username, Logged in time, Logged out time, Internal and External IP Addresses from a VPN node log. I have already determined how I can get the identifying marks for the start and end events, the IP Addresses (all in different events - thank you) and I have created a transaction to group them together. Here is my search string, as is:
index=infrastructure sourcetype=syslog Session_Number="*" | transaction Session_Number | fields Outside_IP, Client_Inside_IP, login_username
However, I then want to use the Internal IP Address and start (logged in) and end (logged out) times and then use the data in a subsearch against other logs.
I know that I could use the "stats" command to get the Earliest and Latest times, but I need the other fields in the output, so I need a transaction and that would get me:
index=infrastructure sourcetype=syslog Session_Number="*" | stats earliest(_time) AS Login_Time, latest(_time) AS Logout_Time by Session_Number | convert ctime(Login_Time) ctime(Logout_Time)
However, do I put these two together, to have both, please? Ideally, I would ask that Splunk add the fields "_transaction_start_time" and "_transaction_end_time" to the function, but that might be asking too much.
How do I do this, please?
Kindest regards,
BlueSocket
↧