Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count Open Sessions

jsven7
Communicator
‎12-03-2015 06:15 AM

Hi all. I'm trying to make a gauge that counts the amount of logged on users. Stuck on figuring out how to classify a session as "Open". Once I do this I'd just count the amount of "OPEN SESSIONS"s. (Doing it this way incase the boss prefers a table.)

If MsgId is AUT22670 or AUT24414 the event represent a login. If the MsgId is AUT22673 then the event represents a logout.

Example Events:
User, Date, Time, MsgId

    my search..
    | eval ID=User | eval LoginDate=Date | eval LoginTime=Time
    | eval SESSIONS_STATUS = if((match(User,(?i)ID)) AND (NOT MsgId=AUT22673),"OPEN SESSION","CLOSED SESSION")

Its not working the way I want but am I headed in the right direction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-03-2015 06:34 AM

If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.

sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR  MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS

See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2015 06:46 AM

Your match command is filtering out all Users except those called "ID", "Id, "id", or "iD" - probably not what you want.

Here is a slightly different approach that may help. Use the dedup command to get the most recent event for each user then filter out the logout events. What's left will be a list of open sessions.

your search | dedup User | where NOT MsgId==AUT22673 | eval LoginTime=_time | table User LoginTime
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jsven7
Communicator
‎12-03-2015 07:30 AM

This works nicely. Yeah sometimes I get confused and try to attack things on Splunk as I would with a perl script.

Someone showed me this too.
my search...
| transaction User startswith="MsgId=AUT22670 OR MsgId=AUT24414" endswith="MsgId=AUT22673" keeporphans=true
| search linecount=1

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-03-2015 06:34 AM

If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.

sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR  MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS

See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup

Reply
Solved! Jump to solution

jsven7
Communicator
‎12-03-2015 07:31 AM

Thanks appreciate it!

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...