Finding concurrent sessions over time

PrisonMike · ‎11-22-2022

yuanliu · ‎11-23-2022

@PrisonMike Given that you are able to determine login_time and logout_time for each session, you probably have some unique session_id as guidance? You must also have some unique event_type to tell you which event is login, which event is logout. As @ITWhisperer suggested, you should step back into these contexts to look for overlap.

I'll use the the most literal approach, namely transaction. Transaction is an expensive command. There are many ways to avoid using this command. But this command best illustrate the thinking.

| transaction session_id startswith="login_event" endswith="logout_event" ``` for illustration purpose only; you should construct transaction according to dataset ```
| where logout_time < login_time AND login_time != _time ``` within each transaction, login_time == _time ```
| timechart span=1h count

Hope this helps.

ITWhisperer · ‎11-22-2022

You may be better going back a step and using streamstats to keep a running total of sessions, something like this

| eval sessioncountchange=if(event="Login", 1, -1)
| streamstats sum(sessioncountchange) as sessioncount by user

PrisonMike · ‎11-22-2022

ITWhisperer · ‎11-22-2022

If you use 1 and -1, lognum becomes the count of concurrent session open for the user.

| eval logtype = if(EventCode="4778", 1, -1)
| eval logon_time = if(logtype=1, _time, null())
| eval logoff_time = if(logtype=-1, _time, null())

PrisonMike · ‎11-22-2022

ITWhisperer · ‎11-22-2022

You can't easily mix the searches - however, you could split the searches so that they have a common part

index= …..
| stats values(EventCode) as EventCode by User _time
| eval logtype = if(EventCode="4778", 1, -1)
| eval logon_time = if(logtype=1, _time, null())
| eval logoff_time = if(logtype=-1, _time, null())
| fields _time User log*
| sort 0 _time

and two chained parts

| streamstats sum(eval(logtype==1)) as lognum by User
| stats min(logon_time) as logon_time, min(logoff_time) as logoff_time by User lognum
| eval duration = logoff_time - logon_time

and

| streamstats sum(logtype) as concurrent_users
| timechart span=1h max(concurrent_users)

PrisonMike · ‎11-22-2022

ITWhisperer · ‎11-22-2022

Try something like this

| streamstats sum(logtype) as concurrent
| bin span=1h _time
| stats max(concurrent) as concurrent by _time
| eventstats min(_time) as start
| eval hour=(_time-start)/(60*60)
| makecontinuous hour
| filldown start concurrent
| eval _time=start+(hour*60*60)

PrisonMike · ‎11-22-2022

ITWhisperer · ‎11-23-2022

You get minus numbers because you have open sessions at the start of your time period. The problem is that you don't know how many open sessions there are. You could go back to the correlated search you started with and count the number of sessions you have with logout but no login. Or you could determine the minimum and if less than zero add these to the counts.

| streamstats sum(logtype) as concurrent
| bin span=1h _time
| stats max(concurrent) as concurrent by _time
| eventstats min(_time) as start
| eval hour=(_time-start)/(60*60)
| makecontinuous hour
| filldown start concurrent
| eval _time=start+(hour*60*60)
| eventstats min(concurrent) as min_concurrent
| eval min_concurrent=if(min_concurrent>0, 0, min_concurrent)
| eval concurrent=concurrent-min_concurrent

Both of these methods do not take into account sessions which start before your time period and end after your time period.

Finding concurrent sessions over time

chart

stats

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!