Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats help

zacksoft
Contributor
‎01-03-2019 07:34 AM

Here are two events from the source-type

2019-01-03 09:56:14,626 https-jsse-nio-7443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession created [70jb1u]

2019-01-03 09:56:14,626 https-jsse-nio-8443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession [1pymrrq] destroyed for 'AF27461'

where TOMMYLE is the user and 'HttpSession created/destroyed' indicates when he logs in and gets logged out from the app. I could use some help probably with streamstats or something similar where it should compare , "keeping the user name same if the 'HttpSession created' word changes to 'HttpSession [some string] destroyed' in some upcoming event (which means the user session ended) then it should keep a tab/count telling whether the user is logged in right now. I intend to uses a timechart to show from the above data how many users are logged in right now in a span of 1 hour (Optional : and if possible how long the used was logged on).

Thank you. I hope i am clear with the explanation.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2019 01:23 AM

@richgalloway ♦ Can we put in a timechart like command indicating how many users were logged in per 30 min over a period of last 24 hours ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:51 AM

Try replacing the where and table commands with timechart span=30m dc(user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-03-2019 11:04 PM

@richgalloway ♦ This is brilliant. Thank you.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-03-2019 03:16 PM

| eval COMMENT = "Filter those whose most recent action was a logon" is gorgeous ; - )

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...