Re: Splunk Query for Search Query/Alert

phanichintha · ‎07-19-2020

Hello,

I need Avg time spent on login and logout by the user and want to calculate from the time they logged in and then out and then the total to show.

Need a query for this: Average time spent on the Platform by Users?

Example: each user spent how much time on work per day.

Query:
sourcetype="%forge%" source="/home/amadmin/log/authentication.audit.json" eventName=AM-LOGIN-COMPLETED OR eventName=AM-LOGOUT userId=*

anmolpatel · ‎07-19-2020

@phanichintha here is an example of how it can be achieved using the transaction command.

| makeresults
| eval _raw = "time, userID, eventName
20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED
20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED
20/07/2020 09:10:00, 2, AM-LOGOUT
20/07/2020 09:06:00, 1, AM-LOGOUT
20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED
20/07/2020 10:06:00, 3, AM-LOGOUT"
| multikv forceheader=1
| eval _time = strptime(time,"%d/%m/%Y %H:%M:%S")
| transaction userID maxspan=1d
| stats avg(duration) as AverageTimeSpentOnThePlatform

Here is the link to the command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

You can make it more robust by using the startswith and endwith arguments

Hope this helps

Splunk Query for Search Query/Alert

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

Splunk Query for Search Query/Alert

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?