topic Re: Find concurrent sessions over time? in Splunk Search

Finding concurrent sessions over time

PrisonMike — Thu, 24 Nov 2022 14:48:06 GMT

Re: Find concurrent sessions over time?

ITWhisperer — Tue, 22 Nov 2022 11:35:24 GMT

You may be better going back a step and using streamstats to keep a running total of sessions, something like this

| eval sessioncountchange=if(event="Login", 1, -1) | streamstats sum(sessioncountchange) as sessioncount by user

Re: Find concurrent sessions over time?

PrisonMike — Thu, 24 Nov 2022 12:11:36 GMT

Re: Find concurrent sessions over time?

ITWhisperer — Tue, 22 Nov 2022 12:01:11 GMT

If you use 1 and -1, lognum becomes the count of concurrent session open for the user.

| eval logtype = if(EventCode="4778", 1, -1) | eval logon_time = if(logtype=1, _time, null()) | eval logoff_time = if(logtype=-1, _time, null())

Re: Find concurrent sessions over time?

PrisonMike — Thu, 24 Nov 2022 14:34:33 GMT

Re: Find concurrent sessions over time?

ITWhisperer — Tue, 22 Nov 2022 12:18:33 GMT

You can't easily mix the searches - however, you could split the searches so that they have a common part

and two chained parts

| streamstats sum(eval(logtype==1)) as lognum by User | stats min(logon_time) as logon_time, min(logoff_time) as logoff_time by User lognum | eval duration = logoff_time - logon_time

and

| streamstats sum(logtype) as concurrent_users | timechart span=1h max(concurrent_users)

Re: Find concurrent sessions over time?

PrisonMike — Thu, 24 Nov 2022 14:34:48 GMT

Re: Find concurrent sessions over time?

ITWhisperer — Tue, 22 Nov 2022 14:01:06 GMT

Try something like this

Re: Find concurrent sessions over time?

PrisonMike — Thu, 24 Nov 2022 14:35:08 GMT

Re: How to find concurrent sessions over time?

yuanliu — Wed, 23 Nov 2022 09:26:13 GMT

@PrisonMike Given that you are able to determine login_time and logout_time for each session, you probably have some unique session_id as guidance? You must also have some unique event_type to tell you which event is login, which event is logout. As @ITWhisperer suggested, you should step back into these contexts to look for overlap.

I'll use the the most literal approach, namely transaction. Transaction is an expensive command. There are many ways to avoid using this command. But this command best illustrate the thinking.

| transaction session_id startswith="login_event" endswith="logout_event" ``` for illustration purpose only; you should construct transaction according to dataset ``` | where logout_time < login_time AND login_time != _time ``` within each transaction, login_time == _time ``` | timechart span=1h count

Hope this helps.

Re: Find concurrent sessions over time?

ITWhisperer — Wed, 23 Nov 2022 09:54:54 GMT

You get minus numbers because you have open sessions at the start of your time period. The problem is that you don't know how many open sessions there are. You could go back to the correlated search you started with and count the number of sessions you have with logout but no login. Or you could determine the minimum and if less than zero add these to the counts.

Both of these methods do not take into account sessions which start before your time period and end after your time period.