Solved: create a dashboard (timechart) to show number of c...

splunkbeginner · ‎03-19-2020

my 2 devices (System01 and System02) as cluster are each sending one event per hour to Splunk like this:

00:00:00 – System01 - Number of concurrent users logged in to the device: 7
00:00:05 – System02 - Number of concurrent users logged in to the device: 1

00:01:00 - System01 - Number of concurrent users logged in to the device: 3
00:01:05 - System02 - Number of concurrent users logged in to the device: 2

00:02:00 - System01 - Number of concurrent users logged in to the device: 4
00:02:05 - System02 - Number of concurrent users logged in to the device: 2

00:03:00 - System01 - Number of concurrent users logged in to the device: 12
00:03:05 - System02 - Number of concurrent users logged in to the device: 26

00:04:00 - System01 - Number of concurrent users logged in to the device: 166
00:04:05 - System02 - Number of concurrent users logged in to the device: 20

00:05:00 - System01 - Number of concurrent users logged in to the device: 12
00:05:05 - System02 - Number of concurrent users logged in to the device: 5
...
00:23:00 - System01 - Number of concurrent users logged in to the device: 12
00:23:05 - System02 - Number of concurrent users logged in to the device: 3

it shall not requrie any stats/count command as the concurrent number is already given each hr. Could anyone advise a timechart/search command to display number of concerrent users each hr? thanks.
00hr 01hr 02hr 03hr 04hr 05hr … 23hr
7+1=8 3+2=5 4+2=6 12+26=38 166+20=186 12+5=17 12+3=15

anmolpatel · ‎03-26-2020

@splunkbeginner you mean like this?
Note: making the assumption that the timestamp above you mentioned was not in right format. I've updated below

| makeresults 
| eval _raw = "Info
00:00:00 -  System01 -  Number of concurrent users logged in to the device: 7
00:05:00 -  System02 -  Number of concurrent users logged in to the device: 1
01:00:00 -  System01 -  Number of concurrent users logged in to the device: 3
01:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
02:00:00 -  System01 -  Number of concurrent users logged in to the device: 4
02:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
03:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
03:05:00 -  System02 -  Number of concurrent users logged in to the device: 26
04:00:00 -  System01 -  Number of concurrent users logged in to the device: 166
04:05:00 -  System02 -  Number of concurrent users logged in to the device: 20
05:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
05:05:00 -  System02 -  Number of concurrent users logged in to the device: 5
23:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
23:05:00 -  System02 -  Number of concurrent users logged in to the device: 3" 
| multikv forceheader=1 
| rex field=_raw "(?<time>\d+:\d+:\d+)\s-\s(?<System>.*?)\s-\s(?<Info>.*)" 
| rex field=Info ".*?(?<concurrent_user>\d+)"
| eval _time = strptime(time, "%H:%M:%S") 
| timechart sum(concurrent_user) span=1h fixedrange=false

View solution in original post

anmolpatel · ‎03-26-2020

@splunkbeginner you mean like this?
Note: making the assumption that the timestamp above you mentioned was not in right format. I've updated below

| makeresults 
| eval _raw = "Info
00:00:00 -  System01 -  Number of concurrent users logged in to the device: 7
00:05:00 -  System02 -  Number of concurrent users logged in to the device: 1
01:00:00 -  System01 -  Number of concurrent users logged in to the device: 3
01:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
02:00:00 -  System01 -  Number of concurrent users logged in to the device: 4
02:05:00 -  System02 -  Number of concurrent users logged in to the device: 2
03:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
03:05:00 -  System02 -  Number of concurrent users logged in to the device: 26
04:00:00 -  System01 -  Number of concurrent users logged in to the device: 166
04:05:00 -  System02 -  Number of concurrent users logged in to the device: 20
05:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
05:05:00 -  System02 -  Number of concurrent users logged in to the device: 5
23:00:00 -  System01 -  Number of concurrent users logged in to the device: 12
23:05:00 -  System02 -  Number of concurrent users logged in to the device: 3" 
| multikv forceheader=1 
| rex field=_raw "(?<time>\d+:\d+:\d+)\s-\s(?<System>.*?)\s-\s(?<Info>.*)" 
| rex field=Info ".*?(?<concurrent_user>\d+)"
| eval _time = strptime(time, "%H:%M:%S") 
| timechart sum(concurrent_user) span=1h fixedrange=false

create a dashboard (timechart) to show number of concurrent users logged in to the devices

timechart

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials