Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create a dashboard (timechart) to show number of concurrent users logged in to the devices

splunkbeginner
Engager
‎03-19-2020 11:17 PM

my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this:

00:00:00 – System01 - Number of concurrent users logged in to the device: 7
00:00:05 – System02 - Number of concurrent users logged in to the device: 1

00:01:00 - System01 - Number of concurrent users logged in to the device: 3
00:01:05 - System02 - Number of concurrent users logged in to the device: 2

00:02:00 - System01 - Number of concurrent users logged in to the device: 4
00:02:05 - System02 - Number of concurrent users logged in to the device: 2

00:03:00 - System01 - Number of concurrent users logged in to the device: 12
00:03:05 - System02 - Number of concurrent users logged in to the device: 26

00:04:00 - System01 - Number of concurrent users logged in to the device: 166
00:04:05 - System02 - Number of concurrent users logged in to the device: 20

00:05:00 - System01 - Number of concurrent users logged in to the device: 12
00:05:05 - System02 - Number of concurrent users logged in to the device: 5
...
00:23:00 - System01 - Number of concurrent users logged in to the device: 12
00:23:05 - System02 - Number of concurrent users logged in to the device: 3

it shall not requrie any stats/count command as the concurrent number is already given each hr. Could anyone advise a timechart/search command to display number of concerrent users each hr? thanks.
00hr 01hr 02hr 03hr 04hr 05hr … 23hr
7+1=8 3+2=5 4+2=6 12+26=38 166+20=186 12+5=17 12+3=15

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

anmolpatel
Builder
‎03-26-2020 05:17 PM

@splunkbeginner you mean like this?
Note: making the assumption that the timestamp above you mentioned was not in right format. I've updated below

| makeresults 
| eval _raw = "Info
00:00:00 -  System01 -  Number of concurrent users logged in to the device: 7
00:05:00 -  System02 -  Number of concurrent users logged in to the device: 1
01:00:00 -  System01 -  Number of concurrent users logged in to the device: 3
01:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
02:00:00 -  System01 -  Number of concurrent users logged in to the device: 4
02:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
03:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
03:05:00 -  System02 -  Number of concurrent users logged in to the device: 26
04:00:00 -  System01 -  Number of concurrent users logged in to the device: 166
04:05:00 -  System02 -  Number of concurrent users logged in to the device: 20
05:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
05:05:00 -  System02 -  Number of concurrent users logged in to the device: 5
23:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
23:05:00 -  System02 -  Number of concurrent users logged in to the device: 3" 
| multikv forceheader=1 
| rex field=_raw "(?<time>\d+:\d+:\d+)\s-\s(?<System>.*?)\s-\s(?<Info>.*)" 
| rex field=Info ".*?(?<concurrent_user>\d+)"
| eval _time = strptime(time, "%H:%M:%S") 
| timechart sum(concurrent_user) span=1h fixedrange=false

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

anmolpatel
Builder
‎03-26-2020 05:17 PM

@splunkbeginner you mean like this?
Note: making the assumption that the timestamp above you mentioned was not in right format. I've updated below

| makeresults 
| eval _raw = "Info
00:00:00 -  System01 -  Number of concurrent users logged in to the device: 7
00:05:00 -  System02 -  Number of concurrent users logged in to the device: 1
01:00:00 -  System01 -  Number of concurrent users logged in to the device: 3
01:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
02:00:00 -  System01 -  Number of concurrent users logged in to the device: 4
02:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
03:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
03:05:00 -  System02 -  Number of concurrent users logged in to the device: 26
04:00:00 -  System01 -  Number of concurrent users logged in to the device: 166
04:05:00 -  System02 -  Number of concurrent users logged in to the device: 20
05:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
05:05:00 -  System02 -  Number of concurrent users logged in to the device: 5
23:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
23:05:00 -  System02 -  Number of concurrent users logged in to the device: 3" 
| multikv forceheader=1 
| rex field=_raw "(?<time>\d+:\d+:\d+)\s-\s(?<System>.*?)\s-\s(?<Info>.*)" 
| rex field=Info ".*?(?<concurrent_user>\d+)"
| eval _time = strptime(time, "%H:%M:%S") 
| timechart sum(concurrent_user) span=1h fixedrange=false

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...