Concurrent active users

rklein · ‎05-26-2014

I have the following input: session id, login time, logout time.
I'm trying to get a graph of concurrent active users within the login/logout time range.
For example if i have the following dataset:
sid, login time, logout
1, 2014-05-26 11:00, 2014-05-26 15:00
2, 2014-05-26 12:00, 2014-05-26 13:00
3, 2014-05-26 13:00, 2014-05-26 14:00

I would like to get a graph which span on each hour with the following results:
11:00-12:00 1 concurrent users
12:00-13:00 2 concurrent users
14:00-15:00 2 concurrent users

lguinn2 · ‎05-26-2014

Here is the only way that I can think of to do this:

yoursearchhere
| eval ts=login_time . ";" . logout | makemv delim=";" ts
| mvexpand ts
| eval ts_epoch = strptime(ts, "%Y-%m-%d %H:%M")
| sort ts_epoch
| eval counter=if(ts==login_time,1,-1)
| streamstats sum(counter) as concurrent_users 
| bucket ts_epoch span=1h
| chart avg(concurrent_users) as "Avg Concurrent Users" by ts_epoch
| ts = strftime(ts_epoch, "%Y-%m-%d %H:%M")
| table ts "Avg Concurrent Users"

Concurrent active users

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Concurrent active users

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future