Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streamstats help

zacksoft
Contributor
‎01-03-2019 07:34 AM

Here are two events from the source-type

2019-01-03 09:56:14,626 https-jsse-nio-7443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession created [70jb1u]

2019-01-03 09:56:14,626 https-jsse-nio-8443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession [1pymrrq] destroyed for 'AF27461'

where TOMMYLE is the user and 'HttpSession created/destroyed' indicates when he logs in and gets logged out from the app. I could use some help probably with streamstats or something similar where it should compare , "keeping the user name same if the 'HttpSession created' word changes to 'HttpSession [some string] destroyed' in some upcoming event (which means the user session ended) then it should keep a tab/count telling whether the user is logged in right now. I intend to uses a timechart to show from the above data how many users are logged in right now in a span of 1 hour (Optional : and if possible how long the used was logged on).

Thank you. I hope i am clear with the explanation.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2019 01:23 AM

@richgalloway ♦ Can we put in a timechart like command indicating how many users were logged in per 30 min over a period of last 24 hours ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:51 AM

Try replacing the where and table commands with timechart span=30m dc(user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-03-2019 11:04 PM

@richgalloway ♦ This is brilliant. Thank you.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-03-2019 03:16 PM

| eval COMMENT = "Filter those whose most recent action was a logon" is gorgeous ; - )

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...