Security

App Sessions Started 24 hour average (All Time) - How to?

Rapidz
Explorer

Hey everyone,

I am trying to gauge at what time users are active on our app. I want to use data from (All time) to gather the average on a 24 hour scale. Is there a way for I can see the average time by hour. Right now this just shows the times when users login. It would be super useful for I can know how many users on average use the app by X AM/PM.

My current query is: 

index=app1 AND service=app AND logLevel=INFO AND environment=prod "message.eventAction"=START_SESSION |timechart span=1h count

This query can gather the users by hour on a 24 hour scale, but not the average from (All time).

If anyone could help, it would be greatly appreciated!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=app1 AND service=app AND logLevel=INFO AND environment=prod "message.eventAction"=START_SESSION | chart count by date_hour
0 Karma

Rapidz
Explorer

That search does not seem to work. The query I have can work for the last 24 hours. It would be great, if it could work for taking the average of all SESSIONS_STARTED across 24 hours to get a picture of when users start the app.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=app1 AND service=app AND logLevel=INFO AND environment=prod "message.eventAction"=START_SESSION 
| bin _time span=1h
| stats count values(date_hour) as date_hour by _time
| chart avg(count) as average_per_hour by date_hour
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...