Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Displaying the number of concurrent users logg...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Displaying the number of concurrent users logged into a system over time
I'll ask this question in two ways in hope I can convey my intentions properly:
Generic Scenario
When you log into this system, a login event is written to a log. When the user logs off (connection closed, etc), a logoff event is written to a log. Throughout the time the user is logged into the box, I don't have any logs to tie activity to a specific user.
I want to be able to have a timechart that displays the total amount of users concurrently logged into a system throughout the course of the day.
So, if my user ID logs in at 1PM and log off at 4PM, my timechart with a span= of say.. 1h, should tally a "1" for 1PM, 2PM, 3PM and 4PM.
Better explained:
1pm User1 Login
2pm User2 Login
3pm <no login/logoff activity>
4pm User1 Logoff
5pm User2 Logoff
Base on those events, I want to be able to construct a table/timechart/something that says:
12pm 0 Users
1pm 1 User
2pm 2 Users
3pm 2 Users
4pm 2 Users
5pm 1 User
6pm 0 Users
So far, I have the equivalent of this:
index=logins | transaction User startswith=action=logon endswith=action=logoff | timechart span=1h dc(User) by User
However, that only gives me a tally of 1 for each User only for the hour when the login event happened. The time between their initial login and logoff drops off.
I can skip the transaction.. but then I get the tally for the time the login happened, and the time the logoff happened, and still missing the in between.
More specific scenario...
The same thing as above applies, but if it is of any help, this is being done with Windows Event Logs.
My true search looks like this:
index=os host=<myhost> source="WinEventLog:Security" | lookup windows_event_descriptions EventCode | search EventCodeDescription="Successful Logon" OR EventCodeDescription="User Logoff" | transaction User startswith=EventCodeDescription="Successful Logon" endswith=EventCodeDescription="User Logoff"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=os host=<myhost> source="WinEventLog:Security" | lookup windows_event_descriptions EventCode | search EventCodeDescription="Successful Logon" OR EventCodeDescription="User Logoff" | eval cnt=if(EventCodeDescription="Successful Logon",1,-1) | makecontinuous _time span=15m | eval cnt=coalesce(cnt,0) | accum cnt | timechart span=1h max(cnt) as MaxConUser
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the user list?
lookup for the events containing the user names and description as successful login attemps and second will have user and log offs. so it would be like
search 1 : user,login_count per hour join search 2: user, logoff_count per hour| user_per_hour=login_count-logoff_count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, not quite. It'll still not account for the hours in between the login and logoff events. I updated the original question with some better information..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
get rid of "by User" clause in the timechart command, should help you get what you want.
Introduction to Splunk AI
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Maximizing the Value of Splunk ES 8.x
