Getting Data In

Can you help me build a query that shows time stamp for each user > session?

bluemarvel
Path Finder

This query gives me the time stamp once for each user, but not each time the user gets a session.

index="*" sourcetype=* 
|search "field:" 
|rex field=_raw "User:  (?<user>\S+)\)" 
|rex field=_raw "Session: (?<session>.*?)\."
|bin _time span=10m 
|dedup user session ID 
|stats values(ID) count by _time user session 
| where count >= 50
Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Your dedup is part of the problem, but I suspect there is another.

If you are trying to detect the number of simultaneous sessions, then try something like this...

 index="*" sourcetype=* 
 |search "field:" 
 |rex field=_raw "User:  (?<user>\S+)\)" 
 |rex field=_raw "Session: (?<session>.*?)\."
 |bin _time as Time span=10m 
 |stats values(ID) dc(session) as dcSession values(session_) as valSession list(session) as listSession list(_time) as listTime by Time user
 | where dcSessions >= 50

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Your dedup is part of the problem, but I suspect there is another.

If you are trying to detect the number of simultaneous sessions, then try something like this...

 index="*" sourcetype=* 
 |search "field:" 
 |rex field=_raw "User:  (?<user>\S+)\)" 
 |rex field=_raw "Session: (?<session>.*?)\."
 |bin _time as Time span=10m 
 |stats values(ID) dc(session) as dcSession values(session_) as valSession list(session) as listSession list(_time) as listTime by Time user
 | where dcSessions >= 50

View solution in original post

rbreton
Path Finder

Could you paste a couple sample log entries?

0 Karma

adonio
Ultra Champion

your dedup removes all values with user and sessionID but 1

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!