https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261236#M78397 <P>If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use <STRONG>dedup</STRONG> to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.</P> <PRE><CODE>sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS </CODE></PRE> <P>See <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup">http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup</A></P> Thu, 03 Dec 2015 14:34:24 GMT jplumsdaine22 2015-12-03T14:34:24Z https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261235#M78396 <P>Hi all. I'm trying to make a gauge that counts the amount of logged on users. Stuck on figuring out how to classify a session as "Open". Once I do this I'd just count the amount of "OPEN SESSIONS"s. (Doing it this way incase the boss prefers a table.)</P> <P><EM>If MsgId is AUT22670 or AUT24414 the event represent a login. If the MsgId is AUT22673 then the event represents a logout.</EM></P> <P>Example Events:<BR /> User, Date, Time, MsgId</P> <PRE><CODE> my search.. | eval ID=User | eval LoginDate=Date | eval LoginTime=Time | eval SESSIONS_STATUS = if((match(User,(?i)ID)) AND (NOT MsgId=AUT22673),"OPEN SESSION","CLOSED SESSION") </CODE></PRE> <P>Its not working the way I want but am I headed in the right direction?</P> Thu, 03 Dec 2015 14:15:02 GMT https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261235#M78396 jsven7 2015-12-03T14:15:02Z https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261236#M78397 <P>If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use <STRONG>dedup</STRONG> to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.</P> <PRE><CODE>sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS </CODE></PRE> <P>See <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup">http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup</A></P> Thu, 03 Dec 2015 14:34:24 GMT https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261236#M78397 jplumsdaine22 2015-12-03T14:34:24Z https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261237#M78398 <P>Your <CODE>match</CODE> command is filtering out all Users except those called "ID", "Id, "id", or "iD" - probably not what you want.</P> <P>Here is a slightly different approach that may help. Use the <CODE>dedup</CODE> command to get the most recent event for each user then filter out the logout events. What's left will be a list of open sessions.</P> <PRE><CODE>your search | dedup User | where NOT MsgId==AUT22673 | eval LoginTime=_time | table User LoginTime </CODE></PRE> Thu, 03 Dec 2015 14:46:08 GMT https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261237#M78398 richgalloway 2015-12-03T14:46:08Z https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261238#M78399 <P>This works nicely. Yeah sometimes I get confused and try to attack things on Splunk as I would with a perl script. </P> <P>Someone showed me this too.<BR /> my search...<BR /> | transaction User startswith="MsgId=AUT22670 OR MsgId=AUT24414" endswith="MsgId=AUT22673" keeporphans=true <BR /> | search linecount=1</P> <P>Thanks!</P> Thu, 03 Dec 2015 15:30:07 GMT https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261238#M78399 jsven7 2015-12-03T15:30:07Z https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261239#M78400 <P>Thanks appreciate it!</P> Thu, 03 Dec 2015 15:31:38 GMT https://community.splunk.com/t5/Splunk-Search/Count-Open-Sessions/m-p/261239#M78400 jsven7 2015-12-03T15:31:38Z