Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to calculate Splunk session for a user ?

vikas_gopal
Builder
‎09-16-2019 11:15 AM

Hi Experts,

I want to create a report for last 24 hours which provides the information like how many hours users was on splunk in past 24 hours , or in other words how many hours user spent on Splunk .

Output will be like 

User            Number of hours 
Admin                  10
test                    5
abc                     6

Regards
VG

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 11:43 AM

i think, and i might be wrong, that splunk does not record a logoff event, so its not an easy task ...
you can search the _audit and _internal indexes to check on users and what they are doing as well as logon time
here are couple answers around this topic:
https://answers.splunk.com/answers/226555/how-to-find-how-many-users-are-logged-into-splunk.html
https://answers.splunk.com/answers/3768/how-do-you-find-out-who-is-logged-onto-splunk-right-now.html

hope it helps

0 Karma
Reply

vikas_gopal
Builder
‎09-16-2019 11:53 AM

Thank you Adonio for your quick response and you are absolutely correct from single index it is not possible so i have checked both _internal and _audit and I have prepared below query . Somehow this is not working any help here please

index=_audit sourcetype=audittrail user=admin action=log*  |dedup action, user|append [|search index=_internal sourcetype=splunk_web_service user=admin action=log* | stats count by user action status] |transaction user startswith=eval(action="login attempt") endswith=eval(action="logout") | table  user action status info duration
0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 12:20 PM

i can help you with the query, but i suspect it wont be useful as splunk captures a "logout" event only when you click logout. if you close your tab, or let the session timeout, i suspect splunk will not record it.
another reason it will be tough to sum up the duration of session is that you dont have a unique session / transaction id to group by. so for every user that logs in more then one time, it gets pretty challenging

0 Karma
Reply

vikas_gopal
Builder
‎09-17-2019 07:41 AM

Totally agreed , I have observed the same with the data. Well thanks for all the efforts , I will keep this question as unanswered . Let's see what others think about this .

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...