Re: Splunk Query for Search Query/Alert

phanichintha · ‎07-19-2020

Hello,

I need Avg time spent on login and logout by the user and want to calculate from the time they logged in and then out and then the total to show.

Need a query for this: Average time spent on the Platform by Users?

Example: each user spent how much time on work per day.

Query:
sourcetype="%forge%" source="/home/amadmin/log/authentication.audit.json" eventName=AM-LOGIN-COMPLETED OR eventName=AM-LOGOUT userId=*

anmolpatel · ‎07-19-2020

@phanichintha here is an example of how it can be achieved using the transaction command.

| makeresults
| eval _raw = "time, userID, eventName
20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED
20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED
20/07/2020 09:10:00, 2, AM-LOGOUT
20/07/2020 09:06:00, 1, AM-LOGOUT
20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED
20/07/2020 10:06:00, 3, AM-LOGOUT"
| multikv forceheader=1
| eval _time = strptime(time,"%d/%m/%Y %H:%M:%S")
| transaction userID maxspan=1d
| stats avg(duration) as AverageTimeSpentOnThePlatform

Here is the link to the command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

You can make it more robust by using the startswith and endwith arguments

Hope this helps

Splunk Query for Search Query/Alert

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Splunk Query for Search Query/Alert

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience