Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Chart count by Duration and User name
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chart count by Duration and User name
I have pulled VPN logs and I'd like to report on the duration that a user has used the VPN tunnel.
I have found the event that shows a disconnected VPN session.
It has the duration information and the user name. I don't know how to create a chart that will include the user name and the duration to next to it.
I have Chart by count Duration (Duration is a field I created)
But I can't seem to put in a search string to show Username and duration next to it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is a very good answer, that answers half my question.
I'm now getting data showing, but I want the duration next to the user name, I'm getting the duration over the top and the count next to the user name.
What would I put instead of count?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I edited my answer. Have a look.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try doing something like:
your search | chart count Username by Duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't error out but comes up with zero data. Yes, I to show a bar graph that shows user name and the duration graph next to it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, here is another edit. Lemme see if I get this right -- You want a chart (column chart?) that will show a Username and its associated duration? Or do you mean a table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I get this error message.
Error in 'chart' command: The specifier 'Duration' is invalid. It must be in form
I get where you are going and I hope it can be that simple, other ideas?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
