topic Concurrent active users in Security

Concurrent active users

rklein — Mon, 26 May 2014 16:01:55 GMT

I have the following input: session id, login time, logout time.
I'm trying to get a graph of concurrent active users within the login/logout time range.
For example if i have the following dataset:
sid, login time, logout
1, 2014-05-26 11:00, 2014-05-26 15:00
2, 2014-05-26 12:00, 2014-05-26 13:00
3, 2014-05-26 13:00, 2014-05-26 14:00

I would like to get a graph which span on each hour with the following results:
11:00-12:00 1 concurrent users
12:00-13:00 2 concurrent users
14:00-15:00 2 concurrent users

Re: Concurrent active users

lguinn2 — Mon, 26 May 2014 19:11:19 GMT

Here is the only way that I can think of to do this:

yoursearchhere
| eval ts=login_time . ";" . logout | makemv delim=";" ts
| mvexpand ts
| eval ts_epoch = strptime(ts, "%Y-%m-%d %H:%M")
| sort ts_epoch
| eval counter=if(ts==login_time,1,-1)
| streamstats sum(counter) as concurrent_users 
| bucket ts_epoch span=1h
| chart avg(concurrent_users) as "Avg Concurrent Users" by ts_epoch
| ts = strftime(ts_epoch, "%Y-%m-%d %H:%M")
| table ts "Avg Concurrent Users"