Solved: Calculating Active User's

apalen · ‎03-19-2014

I am struggling to find how to write this query to calculate active user's on our system. Currently we have a syslog that logs log in's and log outs. The syslog is on the same host (if that matters) we have a 2nd host that does session time outs which i also want to track as a log out.
I can pull these individually and put them into a time chart easy enough, but combining them has been futile so far.

somesoni2 · ‎03-19-2014

Try this: (I am not about your exact requirement, just generating combined count for both syslogs)

| multisearch [search logout requested | eval type="syslog"][search user in session | eval type="sessionlog"] | timechart count by type

View solution in original post

somesoni2 · ‎03-19-2014

Try this: (I am not about your exact requirement, just generating combined count for both syslogs)

| multisearch [search logout requested | eval type="syslog"][search user in session | eval type="sessionlog"] | timechart count by type

apalen · ‎03-19-2014

Thanks, This is defiantly a step in the right direction, i just need to put in the correct arguments. Im not a programer by any means, so this is quite the struggle for me. I'll keep playing with this try to make some progress.

apalen · ‎03-19-2014

logout requested | timechart count
user in session | timechart count

I hope this helps!

Edit: a word

somesoni2 · ‎03-19-2014

Could you provide sample logs or individual queries that you're using?

Calculating Active User's

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?