Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats help

zacksoft
Contributor
‎01-03-2019 07:34 AM

Here are two events from the source-type

2019-01-03 09:56:14,626 https-jsse-nio-7443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession created [70jb1u]

2019-01-03 09:56:14,626 https-jsse-nio-8443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession [1pymrrq] destroyed for 'AF27461'

where TOMMYLE is the user and 'HttpSession created/destroyed' indicates when he logs in and gets logged out from the app. I could use some help probably with streamstats or something similar where it should compare , "keeping the user name same if the 'HttpSession created' word changes to 'HttpSession [some string] destroyed' in some upcoming event (which means the user session ended) then it should keep a tab/count telling whether the user is logged in right now. I intend to uses a timechart to show from the above data how many users are logged in right now in a span of 1 hour (Optional : and if possible how long the used was logged on).

Thank you. I hope i am clear with the explanation.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2019 01:23 AM

@richgalloway ♦ Can we put in a timechart like command indicating how many users were logged in per 30 min over a period of last 24 hours ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:51 AM

Try replacing the where and table commands with timechart span=30m dc(user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-03-2019 11:04 PM

@richgalloway ♦ This is brilliant. Thank you.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-03-2019 03:16 PM

| eval COMMENT = "Filter those whose most recent action was a logon" is gorgeous ; - )

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...