https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475488#M133637 <PRE><CODE>index=cisco_asa Cisco_ASA_user=* | reverse | streamstats count(eval(searchmatch("connection established"))) as session by Cisco_ASA_user | stats min(_time) as start max(_time) as end by session Cisco_ASA_user | eval tmp=mvrange(start,end,3600) | mvexpand tmp | rename tmp as _time | bin span=1h _time | stats count as "Total Count" by _time </CODE></PRE> <P>VPN log has only <EM>start</EM> and <EM>end</EM> of connection.<BR /> It is necessary to make a log for the period in the middle.</P> Mon, 13 Apr 2020 22:28:54 GMT to4kawa 2020-04-13T22:28:54Z https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475485#M133634 <P>Hello, I am currently tracking a total count of VPN Users. I want to track the total over a timechart to see when the high and low parts are through out the day. Below I have provided the search I am using to get the total VPN Count. Could you please assist on editing the search to show it in timechart and the total count by each hour. </P> <PRE><CODE>index=cisco_asa Cisco_ASA_user=* | transaction fields=Cisco_ASA_user maxspan=12h30m connected=f startswith="*connection established*" | search eventtype!=cisco_vpn_end | dedup user | stats count by Cisco_ASA_user | eventstats sum(count) as totalCount | rename totalCount as "Total Count" | table "Total Count" </CODE></PRE> <P>Thanks, </P> <P>Cooper J</P> Mon, 13 Apr 2020 18:22:01 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475485#M133634 cooperjaram 2020-04-13T18:22:01Z https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475486#M133635 <P>Will this get you close?</P> <PRE><CODE>index=cisco_asa Cisco_ASA_user=* | transaction fields=Cisco_ASA_user maxspan=12h30m connected=f startswith="*connection established*" | search eventtype!=cisco_vpn_end | dedup user | timechart span=1h count(user) AS UserCount </CODE></PRE> <P>FYI, it is generally preferred to use <CODE>stats</CODE> instead of <CODE>transaction</CODE> like this:</P> <PRE><CODE>| (your search) | eval StartTime=if(match(_raw, "cisco_vpn_start"), _time, null()) | eval EndTime=if(match(_raw, "cisco_vpn_end"), _time, null()) | stats earliest(StartTime) as StartTime latest(EndTime) as EndTime by Cisco_ASA_user </CODE></PRE> <P>Then you can search for full sessions (have both StartTime and EndTime) or abandoned (StartTime but missing and well overdue end times) or in progress (StartTime, no EndTime, but not long enough for timeout). You can do a lot with this info.</P> Mon, 13 Apr 2020 19:29:39 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475486#M133635 jpolvino 2020-04-13T19:29:39Z https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475487#M133636 <P>See if this gets you the desired results.</P> <PRE><CODE>index=cisco_asa Cisco_ASA_user=* | transaction fields=Cisco_ASA_user maxspan=12h30m connected=f startswith="*connection established*" | search eventtype!=cisco_vpn_end | dedup user | stats count by _time | timechart span=1h sum(count) as totalCount | rename totalCount as "Total Count" </CODE></PRE> Mon, 13 Apr 2020 19:34:55 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475487#M133636 richgalloway 2020-04-13T19:34:55Z https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475488#M133637 <PRE><CODE>index=cisco_asa Cisco_ASA_user=* | reverse | streamstats count(eval(searchmatch("connection established"))) as session by Cisco_ASA_user | stats min(_time) as start max(_time) as end by session Cisco_ASA_user | eval tmp=mvrange(start,end,3600) | mvexpand tmp | rename tmp as _time | bin span=1h _time | stats count as "Total Count" by _time </CODE></PRE> <P>VPN log has only <EM>start</EM> and <EM>end</EM> of connection.<BR /> It is necessary to make a log for the period in the middle.</P> Mon, 13 Apr 2020 22:28:54 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-a-total-count/m-p/475488#M133637 to4kawa 2020-04-13T22:28:54Z