I am using iss logs and each user has to authenticate to login to the site I manage.
I would like to get to a count of sessions, with the session identifier as the cs_username, over different periods of time.
After the above is achieved I would then like to split up various user groups and change the standard session timeout, so normally a sessions ends after 30mins of non activity however for some users I would like the session to end after say 3 hours of non activity. I expect this is easy to achieve with a look up table against usernames if the first step is possible.
Thanks,
Dan
Dan,
Maybe I am missing something in your question but if you are trying to just get a count over time by cs_username have you tried the timechart command?
sourcetype=iis | timechart count by cs_username
You can of course specify the bucketing in the timechart command so you could see session counts by hour, minute, day etc.
Dan, I think I understand what you are looking for now. I think that a combination of the transaction command the duration command may be more what you are looking for?
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Concurrency
To be a bit clearer…
I can achieve hit, page view, and visitor stats, but not visit stats.
Most Web Analytics tools will have a session ID from the cookie etc. However current tool I use calculates the sessions from the Authenticated username (cs_username), I would like to replicate this in Splunk.
Thanks for the response.
What I would want to get to is number of visits per user over a given time period.
My issue is calculating the Visits/Sessions. So If there is a gap of more than 30mins between hits for a user then this is a new Visit/Session
Visit/Sessions being - A visit is an interaction, by an individual, with a website consisting of one or more requests for an analyst-definable unit of content (i.e. “page view”). If an individual has not taken another action (typically additional page views) on the site within a specified time period, the visit session will terminate.