Re: Splunk Query for Search Query/Alert

phanichintha · ‎07-19-2020

Hello,

I need Avg time spent on login and logout by the user and want to calculate from the time they logged in and then out and then the total to show.

Need a query for this: Average time spent on the Platform by Users?

Example: each user spent how much time on work per day.

Query:
sourcetype="%forge%" source="/home/amadmin/log/authentication.audit.json" eventName=AM-LOGIN-COMPLETED OR eventName=AM-LOGOUT userId=*

anmolpatel · ‎07-19-2020

@phanichintha here is an example of how it can be achieved using the transaction command.

| makeresults
| eval _raw = "time, userID, eventName
20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED
20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED
20/07/2020 09:10:00, 2, AM-LOGOUT
20/07/2020 09:06:00, 1, AM-LOGOUT
20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED
20/07/2020 10:06:00, 3, AM-LOGOUT"
| multikv forceheader=1
| eval _time = strptime(time,"%d/%m/%Y %H:%M:%S")
| transaction userID maxspan=1d
| stats avg(duration) as AverageTimeSpentOnThePlatform

Here is the link to the command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

You can make it more robust by using the startswith and endwith arguments

Hope this helps

Splunk Query for Search Query/Alert

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation