Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count Open Sessions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all. I'm trying to make a gauge that counts the amount of logged on users. Stuck on figuring out how to classify a session as "Open". Once I do this I'd just count the amount of "OPEN SESSIONS"s. (Doing it this way incase the boss prefers a table.)
If MsgId is AUT22670 or AUT24414 the event represent a login. If the MsgId is AUT22673 then the event represents a logout.
Example Events:
User, Date, Time, MsgId
my search..
| eval ID=User | eval LoginDate=Date | eval LoginTime=Time
| eval SESSIONS_STATUS = if((match(User,(?i)ID)) AND (NOT MsgId=AUT22673),"OPEN SESSION","CLOSED SESSION")
Its not working the way I want but am I headed in the right direction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.
sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS
See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your match command is filtering out all Users except those called "ID", "Id, "id", or "iD" - probably not what you want.
Here is a slightly different approach that may help. Use the dedup command to get the most recent event for each user then filter out the logout events. What's left will be a list of open sessions.
your search | dedup User | where NOT MsgId==AUT22673 | eval LoginTime=_time | table User LoginTime
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works nicely. Yeah sometimes I get confused and try to attack things on Splunk as I would with a perl script.
Someone showed me this too.
my search...
| transaction User startswith="MsgId=AUT22670 OR MsgId=AUT24414" endswith="MsgId=AUT22673" keeporphans=true
| search linecount=1
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.
sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS
See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks appreciate it!
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
