Concurrent active users

rklein · ‎05-26-2014

I have the following input: session id, login time, logout time.
I'm trying to get a graph of concurrent active users within the login/logout time range.
For example if i have the following dataset:
sid, login time, logout
1, 2014-05-26 11:00, 2014-05-26 15:00
2, 2014-05-26 12:00, 2014-05-26 13:00
3, 2014-05-26 13:00, 2014-05-26 14:00

I would like to get a graph which span on each hour with the following results:
11:00-12:00 1 concurrent users
12:00-13:00 2 concurrent users
14:00-15:00 2 concurrent users

lguinn2 · ‎05-26-2014

Here is the only way that I can think of to do this:

yoursearchhere
| eval ts=login_time . ";" . logout | makemv delim=";" ts
| mvexpand ts
| eval ts_epoch = strptime(ts, "%Y-%m-%d %H:%M")
| sort ts_epoch
| eval counter=if(ts==login_time,1,-1)
| streamstats sum(counter) as concurrent_users 
| bucket ts_epoch span=1h
| chart avg(concurrent_users) as "Avg Concurrent Users" by ts_epoch
| ts = strftime(ts_epoch, "%Y-%m-%d %H:%M")
| table ts "Avg Concurrent Users"

Concurrent active users

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases