https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/661083#M228246 <P>This worked great, but how do I display also in the same search, what the first record was and the last record was for the durration.</P><P>Something like a table below</P><P>username, day, Duration, First, Last</P> Tue, 17 Oct 2023 18:26:29 GMT SplunkNovice202 2023-10-17T18:26:29Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339897#M170274 <P>Splunkers,</P> <P>I'm attempting to display how long a user as spent in our training portal over the last 30 days.</P> <P>Search string: </P> <P>index=blah <BR /> | stats earliest(_time) as login, latest(_time) as logout by user<BR /> | eval diff=logout-login<BR /> | eval diff=tostring(diff, "duration")<BR /> | convert timeformat="%B %d %Y %I:%M:%S %p" ctime(login)<BR /> | convert timeformat="%B %d %Y %I:%M:%S %p" ctime(logout)<BR /> | rename user as User, login as Login, logout as Logout, diff as "Time in Portal"</P> <P>Any advice would be great.</P> <P>Thanks!</P> Tue, 29 Sep 2020 19:03:15 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339897#M170274 matthew_foos 2020-09-29T19:03:15Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339898#M170275 <P>hello there,<BR /> seems like your query will calculate 1 long session for each user for 30 days.<BR /> do you have an event that indicates a logon / logout?<BR /> can you share some masked sample data?</P> Tue, 17 Apr 2018 15:41:02 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339898#M170275 adonio 2018-04-17T15:41:02Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339899#M170276 <P>Hi,</P> <P>I do not have an event that indicates a login / logout. I'm calculating those fields with this:</P> <P>| stats earliest(_time) as login, latest(_time) as logout by user<BR /> | eval diff=logout-login<BR /> | eval diff=tostring(diff, "duration")</P> <P>This gives me a login, logout, and diff(how long they spent in the portal).</P> <P>Unfortunatly, this is all I have to work with..</P> Tue, 29 Sep 2020 19:03:21 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339899#M170276 matthew_foos 2020-09-29T19:03:21Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339900#M170277 <P>hmmm,<BR /> not sure how to approach this Rubiks cube. if for example user A logs in in day 1 and logs out that same day and also logs in and out on day 29, your query will capture login in day 1 and logout on day 29 and therefore calculate 28+ days on portal...<BR /> can you shed some more light by sharing some masked sample data?</P> Tue, 17 Apr 2018 15:59:04 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339900#M170277 adonio 2018-04-17T15:59:04Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339901#M170278 <P>You could try the following:</P> <PRE><CODE>index=blah | bucket _time as day span=1d | stats earliest(_time) as login, latest(_time) as logout by user, day | eval diff=logout-login | stats sum(diff) as tip by user | eval tip=tostring(tip, "duration") | rename user as User, tip as "Time in Portal" </CODE></PRE> <P>That should retrieve time in Portal per user per day, then sums it to get Time in Portal per user last 30 days</P> Tue, 17 Apr 2018 16:11:48 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339901#M170278 damien_chillet 2018-04-17T16:11:48Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339902#M170279 <P>No results for the Time in Portal field </P> Tue, 17 Apr 2018 18:17:27 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339902#M170279 matthew_foos 2018-04-17T18:17:27Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339903#M170280 <P>Hey i made a mistake, i've edited the SPL, could you try one more time?</P> Wed, 18 Apr 2018 10:29:31 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339903#M170280 damien_chillet 2018-04-18T10:29:31Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339904#M170281 <P>Answered my own question:</P> <P>index=something<BR /> | eval day=strftime(_time, "%B %d %Y") <BR /> | eventstats range(_time) AS duration BY username day<BR /> | stats values(duration) as duration by username day<BR /> | eval duration=tostring(duration, "duration")</P> Tue, 29 Sep 2020 19:13:00 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/339904#M170281 matthew_foos 2020-09-29T19:13:00Z https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/661083#M228246 <P>This worked great, but how do I display also in the same search, what the first record was and the last record was for the durration.</P><P>Something like a table below</P><P>username, day, Duration, First, Last</P> Tue, 17 Oct 2023 18:26:29 GMT https://community.splunk.com/t5/Splunk-Search/Display-a-users-time-in-portal-by-day/m-p/661083#M228246 SplunkNovice202 2023-10-17T18:26:29Z