Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Active User count in the application not working

praneethlekkala
Path Finder
‎11-09-2021 05:33 AM

I want to know the active user count of an application, the following is the query i created, however its not giving the out put, can someone guide please?

 

index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]"
| rex "^\S+ \S+ \S+ \S+ \S+ (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb"
| timechart span=15m dc(USER) as Application _User

I am getting the following out put:

_time                                        application_User
1 2021-11-09 00:00:00        0
2 2021-11-09 00:15:00        0
3 2021-11-09 00:30:00        0
4 2021-11-09 00:45:00        0

 

The Logs if i run the following query shows that there is the User ID in the output:

index=application host=Server Name sourcetype="Applicationprod-console-logs" "[AccessLogFilter]"

Output:

2021-11-09 08:29:12,787 INFO [http-nio-127.0.0.1-8085-exec-101 url: /deploy/viewDeploymentProjectEnvironments.action] [AccessLogFilter] USERID GET application.url.action?id=665059902 4320055kb
host = Server source = location = application-prod-console-logs

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2021 12:53 PM

When I tried the regex in regex101.com there were no matches.  Removing the leading anchor fixed it.

| rex "\S+ \S+ \S+ \S+ \S+ (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb"

FWIW, this regex is faster

| rex "url: [^\]]+\] \[\S+] (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2021 12:53 PM

When I tried the regex in regex101.com there were no matches.  Removing the leading anchor fixed it.

| rex "\S+ \S+ \S+ \S+ \S+ (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb"

FWIW, this regex is faster

| rex "url: [^\]]+\] \[\S+] (?<USER>\S+) (?<ACTION>\S+) (?<URL>\S+) (?<SIZE>\d+)kb"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

praneethlekkala
Path Finder
‎11-09-2021 02:43 PM

@richgalloway  Thanks, It worked!!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...