Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create user logon session line chart by timechart command

p2akira
Engager
‎12-04-2020 07:53 AM

Hi all, 

I have data in below that indicates logon and logoff time.

_timeuserstartTimeendTime
20/12/04 18:07:03.000A16070728231607073562
20/12/04 17:53:22.000B16070720021607074229
20/12/04 16:21:19.000A16070664791607066494
20/12/04 16:07:32.000C16070656521607065719

"_time" is equal to startTime but startTime is epoch time.

I would like to plot this time series data to line chart using timechart command.

Like, x axis indicates time with 1minutes span, and y axis indicates each user name and plot data to be 1 between session startTime and endTime.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-04-2020 08:38 PM 
index=_internal | head 1 | fields _raw 
| eval _raw="_time	user	startTime	endTime
20/12/04 18:07:03.000	A	1607072823	1607073562
20/12/04 17:53:22.000	B	1607072002	1607074229
20/12/04 16:21:19.000	A	1607066479	1607066494
20/12/04 16:07:32.000	C	1607065652	1607065719"
| multikv forceheader=1
| rex "(?<time>\S+ \S+)\s+(?<user>\w)\s+(?<startTime>\d+)\s+(?<endTime>\d+)"
| eval _time=strptime(time,"%y/%m/%d %T.%3Q")

| eval time=mvrange(startTime,endTime,60)
| mvexpand time
| stats count by time user
| rename time as _time
| timechart span=1min cont=f count by user

try column chart with stack

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-04-2020 08:38 PM 
index=_internal | head 1 | fields _raw 
| eval _raw="_time	user	startTime	endTime
20/12/04 18:07:03.000	A	1607072823	1607073562
20/12/04 17:53:22.000	B	1607072002	1607074229
20/12/04 16:21:19.000	A	1607066479	1607066494
20/12/04 16:07:32.000	C	1607065652	1607065719"
| multikv forceheader=1
| rex "(?<time>\S+ \S+)\s+(?<user>\w)\s+(?<startTime>\d+)\s+(?<endTime>\d+)"
| eval _time=strptime(time,"%y/%m/%d %T.%3Q")

| eval time=mvrange(startTime,endTime,60)
| mvexpand time
| stats count by time user
| rename time as _time
| timechart span=1min cont=f count by user

try column chart with stack

0 Karma
Reply
Solved! Jump to solution

p2akira
Engager
‎12-06-2020 10:18 PM

Thank you!

That's what I wanted to do.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 08:03 AM

Hi @p2akira,

To do what you like, you should explore the timeline Visualization https://splunkbase.splunk.com/app/3120/

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

p2akira
Engager
‎12-04-2020 08:08 AM

Hi @gcusello ,

Thank you your app suggestions

I'm aware of that app, but I can't install it because our Splunk is deployed on a closed network or can't bring app packaged file.
Therefore, I would like to implement it by using the line chart that I can use by default.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...