- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create line chart of search duration in timeline
Hi,
I have some vpn logs which show the vpn login activity per user, primarily the times that they disconnected, the duration of the session and the reason for the disconnection. I want the chart the duration of each session over a month by have a line chart with one line showing each duration, and also for the lines to be colour coded according to the reason of the disconnection.
The graph I am trying to achieve is shown in the link below:
The only difference is that I want the y-axis to be the day of the month, and the x axis to be the hour of the day.
I've tried working on it for several days and this is my current query:
earliest=-30d index=xxx sourcetype=xx Username=xx
| table reason _time duration
| eval startime=_time - duration
| eval BeginSession=strftime(startime,"%Y-%m-%d %H:%M:%S")
| eval EndSession=strftime(_time,"%Y-%m-%d %H:%M:%S")
| table reason *Session
| eval combinedt=BeginSession.",",EndSession
| makemv delim="," combinedt
| mvexpand combinedt
| eval _time=combinedt
| rename combinedt as Time
This gives me a time series of consecutive connection and disconnection timings, but I am pretty much stuck at this point. Any help would be greatly appreciated.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
earliest=-30d index=xxx sourcetype=xx Username=xx
| table reason _time duration
| eval startime=_time - duration
| table reason *Session
| eval combinedt=startime.","._time
| makemv delim="," combinedt
| mvexpand combinedt
| eval _time=combinedt
| timechart useother=f span=1s first(duration) by reason
