Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Streamstats help

zacksoft
Contributor
‎01-03-2019 07:34 AM

Here are two events from the source-type

2019-01-03 09:56:14,626 https-jsse-nio-7443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession created [70jb1u]

2019-01-03 09:56:14,626 https-jsse-nio-8443-exec-126 TOMMYLE 596x8523868x11 1pymrrq 30.139.119.25,30.128.254.78 /secure/Logout!default.jspa HttpSession [1pymrrq] destroyed for 'AF27461'

where TOMMYLE is the user and 'HttpSession created/destroyed' indicates when he logs in and gets logged out from the app. I could use some help probably with streamstats or something similar where it should compare , "keeping the user name same if the 'HttpSession created' word changes to 'HttpSession [some string] destroyed' in some upcoming event (which means the user session ended) then it should keep a tab/count telling whether the user is logged in right now. I intend to uses a timechart to show from the above data how many users are logged in right now in a span of 1 hour (Optional : and if possible how long the used was logged on).

Thank you. I hope i am clear with the explanation.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2019 02:28 PM

This should get you started.

index=foo "HttpSession" 
| eval COMMENT = "Extract the fields.  You can skip this bit if they're already extracted."
| rex "(?:\S+\s){3}(?<user>\S+)\s\S+\s(?<session>\S+)\s.*?HttpSession (?:\[[^\]]+\]\s)?(?<action>\S+)?"
| eval COMMENT = "Get the latest action for each user"
| stats first(_time) as logonTime, latest(action) as action, latest(user) as user by session
| eval COMMENT = "Filter those whose most recent action was a logon"
| where action="created"
| table logonTime user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2019 01:23 AM

@richgalloway ♦ Can we put in a timechart like command indicating how many users were logged in per 30 min over a period of last 24 hours ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2019 05:51 AM

Try replacing the where and table commands with timechart span=30m dc(user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-03-2019 11:04 PM

@richgalloway ♦ This is brilliant. Thank you.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎01-03-2019 03:16 PM

| eval COMMENT = "Filter those whose most recent action was a logon" is gorgeous ; - )

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...