Splunk: query when the same user called the same endpoint less than 30 minutes apart

Question

Based on the following entries:

ORDER=entry1 USER=user1 EP=endpoint1 TIME=10:00
ORDER=entry2 USER=user2 EP=endpoint1 TIME=10:01
ORDER=entry3 USER=user1 EP=endpoint1 TIME=10:05
ORDER=entry4 USER=user2 EP=endpoint1 TIME=11:00

I want to write a Splunk query that would list all calls to endpoint1 by the same user, in an interval less than 30 minutes.

The output of the query would be

ORDER=entry3 USER=user1 EP=endpoint1 TIME=10:05

because only the entry3 is done by the same user to that endpoint in an interval that is less than 30 minutes.

I tried writing the query, but I don't know how to make it to a generic user. My queries work, but they are for a specific user.

How can I make it generic?

score 0 · Answer 1 · answered Feb 07 '17 at 00:39

The way I got it was by adding a virtual field that is the concatenation of USER and EP, as indicated in this doc: https://answers.splunk.com/answers/33738/concatenate-fields-into-a-single-string.html

The query I came up was:

"endpoint1" | eval USEREP = USER.";".EP | transaction USER maxspan=30min

Splunk: query when the same user called the same endpoint less than 30 minutes apart

1 Answers1