Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate Splunk session for a user ?

vikas_gopal
Builder
‎09-16-2019 11:15 AM

Hi Experts,

I want to create a report for last 24 hours which provides the information like how many hours users was on splunk in past 24 hours , or in other words how many hours user spent on Splunk .

Output will be like 

User            Number of hours 
Admin                  10
test                    5
abc                     6

Regards
VG

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 11:43 AM

i think, and i might be wrong, that splunk does not record a logoff event, so its not an easy task ...
you can search the _audit and _internal indexes to check on users and what they are doing as well as logon time
here are couple answers around this topic:
https://answers.splunk.com/answers/226555/how-to-find-how-many-users-are-logged-into-splunk.html
https://answers.splunk.com/answers/3768/how-do-you-find-out-who-is-logged-onto-splunk-right-now.html

hope it helps

0 Karma
Reply

vikas_gopal
Builder
‎09-16-2019 11:53 AM

Thank you Adonio for your quick response and you are absolutely correct from single index it is not possible so i have checked both _internal and _audit and I have prepared below query . Somehow this is not working any help here please

index=_audit sourcetype=audittrail user=admin action=log*  |dedup action, user|append [|search index=_internal sourcetype=splunk_web_service user=admin action=log* | stats count by user action status] |transaction user startswith=eval(action="login attempt") endswith=eval(action="logout") | table  user action status info duration
0 Karma
Reply

adonio
Ultra Champion
‎09-16-2019 12:20 PM

i can help you with the query, but i suspect it wont be useful as splunk captures a "logout" event only when you click logout. if you close your tab, or let the session timeout, i suspect splunk will not record it.
another reason it will be tough to sum up the duration of session is that you dont have a unique session / transaction id to group by. so for every user that logs in more then one time, it gets pretty challenging

0 Karma
Reply

vikas_gopal
Builder
‎09-17-2019 07:41 AM

Totally agreed , I have observed the same with the data. Well thanks for all the efforts , I will keep this question as unanswered . Let's see what others think about this .

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...