Skip to main content
Help Center Logpoint Docs Idea Portal Logpoint.com

Hi,

I want to display all relevant information that is available for remote sessions per remote session. However this is contained in different logs that all have the same session_id. Suppose I gather those logs in a search via a single stream. For example like this:

>3 user=”x*” type=login OR type=logoff OR type=authentication_try having same session_id] as Stream

 

How can I access the individual logs included?

 

 

For example

| fields Stream.type, Stream.col_ts, Stream.user or

| chart count() by Stream.user etc. doesn’t work.

 

Just showing the fields without grouping of same session_id is not the solution, since I cannot order fields and all session_ids are mixed. 


Hope there’s a way. Best
Georg

Hi Georg,

I put in a search query here which uses distinct_lists to gather the information by the session_id.

session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try 
| chart distinct_list(col_ts) as col_ts, distinct_list(user) by session_id 
| fields session_id, col_ts, user

 

A similar post and discussion was had on the community some time ago which you can find here:

 

Hope this helps.


Best Regards,
Gustav

 

Thanks Gustav, This mainly answered my question. I understand, that access of the individual logs in the stream is not possible and just the common information can be retrieved. 

 

Hi Georg,

You can change the distinct_list(col_ts) to max(col_ts) to get the newest log received collection timestamp for the grouped logs by session_id.

So the modified search query would be like this:
 

session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try 
| chart max(col_ts) as col_ts, distinct_list(user) by session_id 
| fields session_id, col_ts, user


Let me know if this works.

 

Best Regards,
 

Reply


Terms & ConditionsCookie settings