Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to resolve these issues charting user time logged in vs day of the week?

pjmccormick
Explorer
‎08-12-2022 11:07 AM

I'm trying to make a chart that shows me how long each individual is logged in, including weekends. This is for a closed system that only has a handful of users.

I'm using this search to get the data, but I'm having a very difficult time getting it to chart out in a useable way.

 

 

 

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user

 

 

 

Labels (2)
Labels
0 Karma
Reply

pjmccormick
Explorer
‎08-15-2022 12:54 PM

Thanks for the quick reply. I'm not nearly proficient but I still can't get the graph to lay out the way I would like for a quick review.

Using my code I get this trellis graph:

Trellis Graph V1.jpg

 

Using your code I got:

Trellis graph V2.jpg

 

What I'm hoping to be able to produce on my dashboard is something like this:

Example.jpg

 

Maybe I'm getting the right data and not visualizing it correctly?

A Trellis plot or scatter plot that lets us visualize when users are on the system so we can analyze for non-usual usage periods is where I'm trying to get to.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2022 12:10 AM

Try something like this

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| bin span=1d _time AS Date 
| eventstats earliest(_time) AS login, latest(_time) AS logout by Date, host, user
| eval session_duration=logout-login 
| stats count AS auth_event_count, earliest(login) as login, max(session_duration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
Reply

pjmccormick
Explorer
‎08-16-2022 07:14 AM

Thank for the quick reply, this kind of set me back though so I'm not sure where to go with this from here. I've posted more info in this thread I just forgot to link it as a reply to your reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...