Solved: Calculating Active User's

apalen · ‎03-19-2014

I am struggling to find how to write this query to calculate active user's on our system. Currently we have a syslog that logs log in's and log outs. The syslog is on the same host (if that matters) we have a 2nd host that does session time outs which i also want to track as a log out.
I can pull these individually and put them into a time chart easy enough, but combining them has been futile so far.

somesoni2 · ‎03-19-2014

Try this: (I am not about your exact requirement, just generating combined count for both syslogs)

| multisearch [search logout requested | eval type="syslog"][search user in session | eval type="sessionlog"] | timechart count by type

View solution in original post

somesoni2 · ‎03-19-2014

Try this: (I am not about your exact requirement, just generating combined count for both syslogs)

| multisearch [search logout requested | eval type="syslog"][search user in session | eval type="sessionlog"] | timechart count by type

apalen · ‎03-19-2014

Thanks, This is defiantly a step in the right direction, i just need to put in the correct arguments. Im not a programer by any means, so this is quite the struggle for me. I'll keep playing with this try to make some progress.

apalen · ‎03-19-2014

logout requested | timechart count
user in session | timechart count

I hope this helps!

Edit: a word

somesoni2 · ‎03-19-2014

Could you provide sample logs or individual queries that you're using?

Calculating Active User's

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

Calculating Active User's

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard