Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats help

zacksoft
Contributor
‎01-03-2019 07:34 AM

Here are two events from the source-type

2019-01-03 09:56:14,626 https-jsse-nio-7443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession created [70jb1u]

2019-01-03 09:56:14,626 https-jsse-nio-8443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession [1pymrrq] destroyed for 'AF27461'

where TOMMYLE is the user and 'HttpSession created/destroyed' indicates when he logs in and gets logged out from the app. I could use some help probably with streamstats or something similar where it should compare , "keeping the user name same if the 'HttpSession created' word changes to 'HttpSession [some string] destroyed' in some upcoming event (which means the user session ended) then it should keep a tab/count telling whether the user is logged in right now. I intend to uses a timechart to show from the above data how many users are logged in right now in a span of 1 hour (Optional : and if possible how long the used was logged on).

Thank you. I hope i am clear with the explanation.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2019 01:23 AM

@richgalloway ♦ Can we put in a timechart like command indicating how many users were logged in per 30 min over a period of last 24 hours ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:51 AM

Try replacing the where and table commands with timechart span=30m dc(user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-03-2019 11:04 PM

@richgalloway ♦ This is brilliant. Thank you.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-03-2019 03:16 PM

| eval COMMENT = "Filter those whose most recent action was a logon" is gorgeous ; - )

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...