Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get Currently logged in Users

ajebakumar
Loves-to-Learn
‎01-20-2021 02:51 AM

Hi, 

I am building a dashboard for my application being monitored in Splunk. As part of this i am getting the timestamp  of the latest login and latest logout . Below is a Sample output i am getting with the query i have built (Query provided below). The Output i am looking in this case is AAA & CCC as RMID. Kindly suggest

RMID          LTIME                                                        OTIME

AAA           19-01-2021 10:55:32:002                19-01-2021 08:32:32:001

BBB           19-01-2021 11:50:12:002                19-01-2021 12:52:32:001

CCC           19-01-2021 10:55:32:002                

Below is the search query i have

index="XXX" kubernetes_namespace="uat" LoginStatus IN ("Authentication Success") | eventstats max(AuthenticationTime) as LoginTime  by RMID     |append  [search index="" kubernetes_namespace="uat" LoginStatus IN ("Logout Success") | eventstats max(AuthenticationTime) as LogoutTime  by RMID] |eventstats values(LoginTime) AS LTime, values(RMID) as RMID, values(LogoutTime) AS OTime | table  RMID, LTime, OTime | dedup RMID |eval  LoggedInTime = strptime(LoginTime,"%Y-%m-%d %H:%M:%S.%N") | eval  LoggedOutTime = strptime(OTime,"%Y-%m-%d %H:%M:%S.%N")

 

 

 

Labels (3)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-20-2021 05:08 AM

Hi @ajebakumar,

You can filter like below;

index="XXX" kubernetes_namespace="uat" LoginStatus IN ("Authentication Success") 
| eventstats max(AuthenticationTime) as LoginTime by RMID 
| append 
    [ search index="" kubernetes_namespace="uat" LoginStatus IN ("Logout Success") 
    | eventstats max(AuthenticationTime) as LogoutTime by RMID] 
| eventstats values(LoginTime) AS LTime, values(RMID) as RMID, values(LogoutTime) AS OTime 
| fillnull value=0 OTime
| where OTime<LTime
| table RMID, LTime, OTime 
| dedup RMID 
| eval LoggedInTime = strptime(LoginTime,"%Y-%m-%d %H:%M:%S.%N") 
| eval LoggedOutTime = strptime(OTime,"%Y-%m-%d %H:%M:%S.%N")

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...