Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Concurrent active users

rklein
New Member
‎05-26-2014 09:01 AM

I have the following input: session id, login time, logout time.
I'm trying to get a graph of concurrent active users within the login/logout time range.
For example if i have the following dataset:
sid, login time, logout
1, 2014-05-26 11:00, 2014-05-26 15:00
2, 2014-05-26 12:00, 2014-05-26 13:00
3, 2014-05-26 13:00, 2014-05-26 14:00

I would like to get a graph which span on each hour with the following results:
11:00-12:00 1 concurrent users
12:00-13:00 2 concurrent users
14:00-15:00 2 concurrent users

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-26-2014 12:11 PM

Here is the only way that I can think of to do this:

yoursearchhere
| eval ts=login_time . ";" . logout | makemv delim=";" ts
| mvexpand ts
| eval ts_epoch = strptime(ts, "%Y-%m-%d %H:%M")
| sort ts_epoch
| eval counter=if(ts==login_time,1,-1)
| streamstats sum(counter) as concurrent_users 
| bucket ts_epoch span=1h
| chart avg(concurrent_users) as "Avg Concurrent Users" by ts_epoch
| ts = strftime(ts_epoch, "%Y-%m-%d %H:%M")
| table ts "Avg Concurrent Users"
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...