Follow the steps in this recipe to create a state table of sessions:
- Log in to your Splunk server.
- Select the Operational Intelligence application.
- In the search bar, enter the search and select to run it over Last 15 minutes:
index=main sourcetype="access_combined" | eval firsttime=_time | eval lasttime=_time | stats earliest(firsttime) as firsttime, latest(lasttime) as lasttime by JSESSIONID | outputlookup createinapp=true session_state.csv
- You should see a tabulated list by session ID, listing the firsttime and lasttime columns. Splunk will also have created a lookup named sessions.csv as a result of the search. The following is a screenshot of the tabulated list:
- Next, amend the query slightly as follows and rerun ...