https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Search-Query-Alert/m-p/509951#M2699 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/185959">@phanichintha</a>&nbsp;here is an example of how it can be achieved using the transaction command.<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval _raw = "time, userID, eventName 20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED 20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED 20/07/2020 09:10:00, 2, AM-LOGOUT 20/07/2020 09:06:00, 1, AM-LOGOUT 20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED 20/07/2020 10:06:00, 3, AM-LOGOUT" | multikv forceheader=1 | eval _time = strptime(time,"%d/%m/%Y %H:%M:%S") | transaction userID maxspan=1d | stats avg(duration) as AverageTimeSpentOnThePlatform</LI-CODE><P>&nbsp;</P><P>Here is the link to the command&nbsp;<BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P><P>You can make it more robust by using the startswith and endwith arguments<BR /><BR />Hope this helps</P> Mon, 20 Jul 2020 05:12:57 GMT anmolpatel 2020-07-20T05:12:57Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Search-Query-Alert/m-p/509942#M2698 <P>Hello,&nbsp;</P><P><SPAN>I need Avg time spent on login and logout by the user and want to calculate from the time they logged in and then out and then the total to show.</SPAN></P><P><SPAN><BR /><STRONG>Need a query for this:&nbsp;</STRONG>Average time spent on the Platform by Users?<BR /></SPAN></P><P><STRONG>Example: </STRONG>each user spent how much time on work per day.</P><P><STRONG>Query:<BR /></STRONG>sourcetype="%forge%" source="/home/amadmin/log/authentication.audit.json" eventName=AM-LOGIN-COMPLETED OR eventName=AM-LOGOUT userId=*</P> Mon, 20 Jul 2020 03:03:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Search-Query-Alert/m-p/509942#M2698 phanichintha 2020-07-20T03:03:41Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Search-Query-Alert/m-p/509951#M2699 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/185959">@phanichintha</a>&nbsp;here is an example of how it can be achieved using the transaction command.<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval _raw = "time, userID, eventName 20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED 20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED 20/07/2020 09:10:00, 2, AM-LOGOUT 20/07/2020 09:06:00, 1, AM-LOGOUT 20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED 20/07/2020 10:06:00, 3, AM-LOGOUT" | multikv forceheader=1 | eval _time = strptime(time,"%d/%m/%Y %H:%M:%S") | transaction userID maxspan=1d | stats avg(duration) as AverageTimeSpentOnThePlatform</LI-CODE><P>&nbsp;</P><P>Here is the link to the command&nbsp;<BR /><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P><P>You can make it more robust by using the startswith and endwith arguments<BR /><BR />Hope this helps</P> Mon, 20 Jul 2020 05:12:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Query-for-Search-Query-Alert/m-p/509951#M2699 anmolpatel 2020-07-20T05:12:57Z