Hi,
I want to display all relevant information that is available for remote sessions per remote session. However this is contained in different logs that all have the same session_id. Suppose I gather those logs in a search via a single stream. For example like this:
[3 user=”x*” type=login OR type=logoff OR type=authentication_try having same session_id] as Stream
How can I access the individual logs included?
For example
| fields Stream.type, Stream.col_ts, Stream.user or
| chart count() by Stream.user etc. doesn’t work.
Just showing the fields without grouping of same session_id is not the solution, since I cannot order fields and all session_ids are mixed.
Hope there’s a way. Best
Georg
Share This Post:
Hi Georg,
I put in a search query here which uses distinct_lists to gather the information by the session_id.
session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try
| chart distinct_list(col_ts) as col_ts, distinct_list(user) by session_id
| fields session_id, col_ts, user
A similar post and discussion was had on the community some time ago which you can find here:
Hope this helps.
Best Regards,
Gustav
Thanks Gustav, This mainly answered my question. I understand, that access of the individual logs in the stream is not possible and just the common information can be retrieved.
Hi Georg,
You can change the distinct_list(col_ts) to max(col_ts) to get the newest log received collection timestamp for the grouped logs by session_id.
So the modified search query would be like this:
session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try
| chart max(col_ts) as col_ts, distinct_list(user) by session_id
| fields session_id, col_ts, user
Let me know if this works.
Best Regards,
Please sign in to leave a comment.
3 comments