i would like to total the time that each user is logged in to the VPN.
This is what one of my logs looks like.
Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group",
Username = "User", IP = "ip_address",
Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734,
Bytes rcv: 4557700, Reason: User Requested
host="ip_address" | Group="Group" | Username="User" | Session_Type=Session Type: SSL | Duration=1h:59m:24s
After totaling the durations i would like to graph each user.
I have tried to use (eval, stats, and strptime) but cannot get any to work on this correctly.
If someone could help. What would the search string look like in order to do this?
Thank You
... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | stats sum(duration) as total_duration by Username
In the 1st search posted, rex field=Duration
duration must have a lower case "d" for it to work
Thank you, Sowings. That was the hint I needed. I created a field called duration with the field extractor and then made sure it was one of the selected fields.
Hi, I'm very glad to have found this thread as I am trying to get the same information from Splunk, however I'm not getting any results past the table, which only contains the user names. I've even tried shortening the query to the table portion, however I still do not receive data.
The original log event looks something like this:
Apr 30 00:48:25 "ip_address" Apr 30 2012 00:48:25: %ASA-4-113019: Group = "Group", Username = "User", IP = "ip_address", Session disconnected. Session Type: SSL, Duration: 1h:59m:24s, Bytes xmt: 86659734, Bytes rcv: 4557700, Reason: User Requested
By default, Splunk will do automatic Key=Value extraction, meaning that in this case, it will only find Group, Username, and IP. You'll have to write field extraction rules to collect the other values from the log event.
You could also | eval dur=strptime(Duration, "%Hh:%Mm:%Ss")
Hmm, noted. It seems that mktime (available in convert) does the same thing. Seconds math it is!
It's a different result, though. This will result in Today's epoch time plus the duration.
... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | stats sum(duration) as total_duration by Username
I re-ran the search with just the host and your search and I did get results! now I have to figure out how to turn it back into human readable time, but it looks like the string you sent works great, I must have messed something up when I tried it before. Thank you for the great help with this.
Can you see the field "Duration" in the field picker (on the left side)? What's the exact search you're running?
No, I get no results found. Sorry if i'm missing something small, i'm very new to splunk. It doesn't return an error, but it does not return any extracted dur_* fields
if you execute the search without the trailing stats command, can you see any extracted dur_* fields?
... | rex field=Duration "((?<dur_h>\d+)h:)?(?<dur_m>\d+)m:(?<dur_s>\d+)s" | eval duration=dur_s+60*dur_m+3600*coalesce(dur_h,0) | table dur*
correct, "Duration" is exactly as it appears in the log statement from my initial question. That is definitely the field we are trying to get the cumulative duration of a user from It did create the total_duration field and the Usernames were listed just no data at all in the total_duration output.
There's a field "Duration" in your results, right?
The answer from ziegried does return results without error. The Username field is shown with the usernames listed but the total_duration field that is created is blank. Any ideas on why that would be?
rex field=Duration
duration must have a lower case "d" for it to work