Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search to aggregate the difference between timestamps of disparate login and logout events by user ID over a given period of time?

MDSplunkNinja
Explorer
‎04-26-2016 01:55 PM

My agents log in and out of our system several times in a given shift and I need to aggregate the total time they spend logged in. There is one event captured for successful log in and two for log out (one for idle timeout and one for log out).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-28-2016 09:22 AM

Maybe this will help give you some ideas... (this is psuedo code, please tweak to your data set)

     index=* login OR logout OR timeout | rex "(?<action>login|logout|timeout)" | eval action=if(action=="logout" OR action=="timeout", "logout", action) | reverse | streamstats count as session by userid action | sort userid session | streamstats window=1 range(_time) as dur by userid session | stats sum(dur) as duration by userid

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎04-28-2016 09:22 AM

Maybe this will help give you some ideas... (this is psuedo code, please tweak to your data set)

     index=* login OR logout OR timeout | rex "(?<action>login|logout|timeout)" | eval action=if(action=="logout" OR action=="timeout", "logout", action) | reverse | streamstats count as session by userid action | sort userid session | streamstats window=1 range(_time) as dur by userid session | stats sum(dur) as duration by userid
0 Karma
Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎05-09-2016 12:50 PM

Thank you Sundareshr and Marina for your help. Here is what I was able to have success with:

sourcetype=XXXXXXXXXXXX client=XXXXXXXX (SUCCESSFUL_UI_LOGIN OR LOGOUT_UI_TIMEOUT OR LOGOUT_UI_REGULAR) | rex "(?SUCCESSFUL_UI_LOGIN|LOGOUT_UI_TIMEOUT|LOGOUT_UI_REGULAR)" | eval action=if(action=="LOGOUT_UI_TIMEOUT" OR action=="LOGOUT_UI_REGULAR", "logout", action) | transaction count as session by normalizedUsername action maxpause=1s | sort normalizedUsername session | transaction range(_time) as duration by normalizedUsername session startswith="SUCCESSFUL_UI_LOGIN" endswith="logout" | stats sum(duration) as duration by normalizedUsername
0 Karma
Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎04-29-2016 06:45 AM

sundareshr...this is looking pretty good. I am getting back data by user but all of the durations are "0". Did I miss a variable in this search that was "psuedo"?

sourcetype=XXXXXXXXXXXXXX client=XXXXXXXXX (SUCCESSFUL_UI_LOGIN OR LOGOUT_UI_TIMEOUT OR LOGOUT_UI_REGULAR) | rex "(?SUCCESSFUL_UI_LOGIN|LOGOUT_UI_TIMEOUT|LOGOUT_UI_REGULAR)" | eval action=if(action=="LOGOUT_UI_TIMEOUT" OR action=="LOGOUT_UI_REGULAR", "logout", action) | reverse | streamstats count as session by normalizedUsername action | sort normalizedUsername session | streamstats window=1 range(_time) as dur by normalizedUsername session | stats sum(dur) as duration by normalizedUsername
0 Karma
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎04-27-2016 02:20 AM

Hi,

I'm always using this sentence to find the total time for ticket handling:

eval diference=strptime('ClosureAt', "%d %b %Y %T %Z")-strptime('CreatedAt', "%d %b %Y %T %Z")

IT transforms the timestamp (type: "%d %b %Y %T %Z") in epoch time and calculates the difference. If you want an average, It's better to calculate it with epoch type and then make the change with this: 

eval "Time average"=tostring(round(avg,0), "duration")

Also, I know there is a statement called transaction that can help you better for this, but since I don't use it, I can not explain you how to do it. (See documentation here: http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Transaction )

0 Karma
Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎04-28-2016 06:56 AM

Agents=Users. I need to get the total time spent logged in to the system per user in a given shift or week or month.

0 Karma
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎04-29-2016 01:07 AM

The way sundareshr is doing below, sum by UserID in case you have a field like this.

Go through his response, I think it can help you more than mine. Mine is just for the time, but he is checking when it's a timeout and set it as logout, and streamstats statement will work for time calculation.

Anyway, write me again if anything! I will be glad to help

0 Karma
Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎04-27-2016 06:08 AM

How are you aggregating the total handling time per agent? Have you been able to do that within your search or do you have to do that in excel?

0 Karma
Reply
Solved! Jump to solution

marina_rovira
Contributor
‎04-27-2016 07:33 AM

What do you mean per agent?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...