Reporting

How do you find the number of users logged in at any specific hour?

zacksoft
Contributor

Here are two sample events

Event 1 -

2018-09-10 11:17:57,982 INFO [http-nio-127.0.0.1-8085-exec-130] [BreakssFogFilter] BF27462 GET https://rambo.ixngames.com/start.action 7485905kb

Event 2 -

2018-09-10 11:10:55,644 INFO [http-nio-127.0.0.1-8085-exec-51] [BreakssFogFilter] ZD07220 POST https://rambo.ixngames.com/userLogout.action 1615031kb

Event 1 indicates that a user just logged in. Event 2 indicates a user logged out. Around 30 similar events get created with slightly different format events when a users logs in or logs out. It also specifies the user name in the events.

We are trying to figure out How many users(distinct) are logged in to the server at any specific hour by analyzing the events from the above mentioned event formats.

Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

hey @zacksoft try this

<your_search>| rex field=_raw ".*\]\s(?<user>\w+)\s\w+" | timechart span=1h dc(user) 

let me know if this helps!

View solution in original post

mayurr98
Super Champion

hey @zacksoft try this

<your_search>| rex field=_raw ".*\]\s(?<user>\w+)\s\w+" | timechart span=1h dc(user) 

let me know if this helps!

zacksoft
Contributor

@mayurr98

It executed for five minutes and the visualization was rendering well then all of a sudden it stopped and gave me an error
Streamed search execute failed because: Error in 'rex' command: regex=".*]\s(?\w+)\s\w+" has exceeded configured match_limit, consider raising the value in limits.conf

0 Karma

mayurr98
Super Champion

I might have to change the rex. I have written rex based on just 1 sample event given.
ok tell me do you have [BreakssFogFilter] common in every sampling event then try this :

 <your_search>| rex field=_raw "\[BreakssFogFilter\]\s(?<user>\w+)" | timechart span=1h dc(user) 

Also, try this

<your_search>| rex field=_raw "\[\w+\]\s(?<user>\w+)\s\w{3,6}" | timechart span=1h dc(user)

Run it for a shorter period and see if it is giving you correct results then for longer one.

0 Karma

zacksoft
Contributor

@mayurr98
When I run for only 'last 4 hours' it works.

Here are two sample events

Event 1 -
2018-09-10 11:17:57,982 INFO [http-nio-127.0.0.1-8085-exec-130] [BreakssFogFilter] BF27462 GET https://rambo.ixngames.com/start.action 7485905kb

Event 2 -
2018-09-10 11:10:55,644 INFO [http-nio-127.0.0.1-8085-exec-51] [BreakssFogFilter] ZD07220 POST https://rambo.ixngames.com/userLogout.action 1615031kb

Event 1 indicates that a user just logged in, , Event 2 indicates user logged out. Around 30 similar events gets created when a users logs in or logs out specifying the user name in the events.

We are trying to figure out How many users(distinct) are logged in to the server at any specific hour.

0 Karma

mayurr98
Super Champion

then you can write something like this in your base search to filter only logged in events.

<base search> "https://rambo.ixngames.com/start.action" | rex field=_raw "\[BreakssFogFilter\]\s(?<user>\w+)" | timechart span=1h dc(user) 

If this solves your problem. accept the answer to close this question.

0 Karma

zacksoft
Contributor

@mayurr98

You Sir, are a genius !
Accepting your Answer.

0 Karma

imthesplunker
Path Finder

Try this.

| rex field=_raw "\w+\]\s(?<user_name>\w{7})\s" 
0 Karma

inventsekar
Ultra Champion

Please check this rex query... as i dont have logs, stats dc wont work on this SPL.. you can test it on your splunk..

 | makeresults 
    | eval _raw = "2018-09-10 09:07:40,502 INFO [http-nio-116.0.1.1-8082-exec-212] [BreakssFogFilter] UG32791 POST https://rambo.ixngames.com/userLogout.action 5928653kb"
    | rex field=_raw "(?<UserName>\w+) POST"
    | table UserName _raw

alt text

0 Karma

zacksoft
Contributor

@inventsekar

Could you help parse the user name from this event, the user name being gz71606.

2018-09-10 11:24:33,555 INFO [http-nio-124.0.0.1-8082-exec-155] [MyfaultAuthenticator] login : 'gz71606' could not be authenticated with the given password
0 Karma

mayurr98
Super Champion
| rex field=_raw "\slogin\s\:\s\'(?<user>\w+)"

zacksoft
Contributor

@mayurr98
This is perfect.

0 Karma

Sukisen1981
Champion

something like <your index>| rex field=_raw "\s\[BreakssFogFilter](?<user>.*?)P" |timechart span=1h count by user

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...