Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get Currently logged in Users

ajebakumar
Loves-to-Learn
‎01-20-2021 02:51 AM

Hi, 

I am building a dashboard for my application being monitored in Splunk. As part of this i am getting the timestamp  of the latest login and latest logout . Below is a Sample output i am getting with the query i have built (Query provided below). The Output i am looking in this case is AAA & CCC as RMID. Kindly suggest

RMID          LTIME                                                        OTIME

AAA           19-01-2021 10:55:32:002                19-01-2021 08:32:32:001

BBB           19-01-2021 11:50:12:002                19-01-2021 12:52:32:001

CCC           19-01-2021 10:55:32:002                

Below is the search query i have

index="XXX" kubernetes_namespace="uat" LoginStatus IN ("Authentication Success") | eventstats max(AuthenticationTime) as LoginTime  by RMID     |append  [search index="" kubernetes_namespace="uat" LoginStatus IN ("Logout Success") | eventstats max(AuthenticationTime) as LogoutTime  by RMID] |eventstats values(LoginTime) AS LTime, values(RMID) as RMID, values(LogoutTime) AS OTime | table  RMID, LTime, OTime | dedup RMID |eval  LoggedInTime = strptime(LoginTime,"%Y-%m-%d %H:%M:%S.%N") | eval  LoggedOutTime = strptime(OTime,"%Y-%m-%d %H:%M:%S.%N")

 

 

 

Labels (3)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-20-2021 05:08 AM

Hi @ajebakumar,

You can filter like below;

index="XXX" kubernetes_namespace="uat" LoginStatus IN ("Authentication Success") 
| eventstats max(AuthenticationTime) as LoginTime by RMID 
| append 
    [ search index="" kubernetes_namespace="uat" LoginStatus IN ("Logout Success") 
    | eventstats max(AuthenticationTime) as LogoutTime by RMID] 
| eventstats values(LoginTime) AS LTime, values(RMID) as RMID, values(LogoutTime) AS OTime 
| fillnull value=0 OTime
| where OTime<LTime
| table RMID, LTime, OTime 
| dedup RMID 
| eval LoggedInTime = strptime(LoginTime,"%Y-%m-%d %H:%M:%S.%N") 
| eval LoggedOutTime = strptime(OTime,"%Y-%m-%d %H:%M:%S.%N")

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...