topic Finding overall login time for a user in Splunk Search

Finding overall login time for a user

Loscil — Thu, 13 Jun 2013 17:19:42 GMT

For a game, my logs log two times, a login event and a logoff event. What I want to do is calculate the total online time of a player in splunk. They are two separate events, and I can find them through queries. I'm not sure how to get the total online time of a player (I don't need to break it down into daily events, just the total overall sum of the time they played)

I think a way to do this would be to sum the timestamps of all of the logon events for a player, then subtract the sum of all the logoff events for the player (My math might be wrong, but I have a feeling this would work) How would I go about doing that?

I'm very new to splunk, so please go easy on me.

Re: Finding overall login time for a user

aholzer — Thu, 13 Jun 2013 18:15:20 GMT

You may want to look into transactions. Use your "logon" as your startswith attribute, and your "logoff" as your endswith attribute. Transactions will automatically be calculated with a duration field (I believe it's in seconds).

Once you have that you can simply do a stats sum of the durations by user. Something like this:

<your base search> | transaction <userid_field> startswith="*logon*" endswith="*logoff*" | stats sum(duration) as total_dur by <userid_field>

There are other methods to calculate duration between timstamps that you can find in splunk answers.

Hope this helps

Re: Finding overall login time for a user

Loscil — Thu, 13 Jun 2013 18:23:04 GMT

Worked like a charm, Thanks!