Skip to main content
Solved

Access individual logs within single stream

  • 15 September 2023
  • 3 replies
  • 130 views

Hi,

I want to display all relevant information that is available for remote sessions per remote session. However this is contained in different logs that all have the same session_id. Suppose I gather those logs in a search via a single stream. For example like this:

[3 user=”x*” type=login OR type=logoff OR type=authentication_try having same session_id] as Stream

 

How can I access the individual logs included?

 

 

For example

| fields Stream.type, Stream.col_ts, Stream.user or

| chart count() by Stream.user etc. doesn’t work.

 

Just showing the fields without grouping of same session_id is not the solution, since I cannot order fields and all session_ids are mixed. 


Hope there’s a way. Best
Georg

Best answer by Gustav Elkjær Rødsgaard

Hi Georg,

I put in a search query here which uses distinct_lists to gather the information by the session_id.

session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try 
| chart distinct_list(col_ts) as col_ts, distinct_list(user) by session_id 
| fields session_id, col_ts, user

 

A similar post and discussion was had on the community some time ago which you can find here:

 

Hope this helps.


Best Regards,
Gustav

View original
Did this topic help you find an answer to your question?

3 replies

Forum|alt.badge.img+3

Hi Georg,

I put in a search query here which uses distinct_lists to gather the information by the session_id.

session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try 
| chart distinct_list(col_ts) as col_ts, distinct_list(user) by session_id 
| fields session_id, col_ts, user

 

A similar post and discussion was had on the community some time ago which you can find here:

 

Hope this helps.


Best Regards,
Gustav


  • Author
  • New Participant
  • 3 replies
  • September 19, 2023

 

Thanks Gustav, This mainly answered my question. I understand, that access of the individual logs in the stream is not possible and just the common information can be retrieved. 

 


Forum|alt.badge.img+3

Hi Georg,

You can change the distinct_list(col_ts) to max(col_ts) to get the newest log received collection timestamp for the grouped logs by session_id.

So the modified search query would be like this:
 

session_id = * user=”x*” type=login OR type=logoff OR type=authentication_try 
| chart max(col_ts) as col_ts, distinct_list(user) by session_id 
| fields session_id, col_ts, user


Let me know if this works.

 

Best Regards,
 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings