Concurrent active users

rklein · ‎05-26-2014

I have the following input: session id, login time, logout time.
I'm trying to get a graph of concurrent active users within the login/logout time range.
For example if i have the following dataset:
sid, login time, logout
1, 2014-05-26 11:00, 2014-05-26 15:00
2, 2014-05-26 12:00, 2014-05-26 13:00
3, 2014-05-26 13:00, 2014-05-26 14:00

I would like to get a graph which span on each hour with the following results:
11:00-12:00 1 concurrent users
12:00-13:00 2 concurrent users
14:00-15:00 2 concurrent users

lguinn2 · ‎05-26-2014

Here is the only way that I can think of to do this:

yoursearchhere
| eval ts=login_time . ";" . logout | makemv delim=";" ts
| mvexpand ts
| eval ts_epoch = strptime(ts, "%Y-%m-%d %H:%M")
| sort ts_epoch
| eval counter=if(ts==login_time,1,-1)
| streamstats sum(counter) as concurrent_users 
| bucket ts_epoch span=1h
| chart avg(concurrent_users) as "Avg Concurrent Users" by ts_epoch
| ts = strftime(ts_epoch, "%Y-%m-%d %H:%M")
| table ts "Avg Concurrent Users"

Concurrent active users

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation

Concurrent active users

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works