Good afternoon.
Please forgive my ignorance. I have been 'splunking' now for a few weeks and I am still very much learning as I go.
I have been tasked with creating a distribution graph that shows X-axis would be total session time and Y-axis would be the count of sessions that have that session time. Currently I have managed to extract the shown fields using rex
, but I am unsure of how to progress. I guess using the existing fields ctime and dtime, I need to create a field session_time, but I am not sure how to do this?
...| eval ctime,dtime = session_time fails (perhaps obviously).
host=********* sourcetype="WinEventLog:System" EventCode=20272 SourceName=RemoteAccess | rex field=Message ": The user (?<user>\S+) connected on port (?<port>\S+) on (?<cdate>\S+) at (?<ctime>\S+) and disconnected on (?<ddate>\S+) at (?<dtime>\S+).*?active for (?<cmins>\d+) minutes (?<csecs>\d+) seconds"
Any advice or assistance would be greatly appreciated.
Kind regards,
Rob.
The following should work
host=* sourcetype="WinEventLog:System" EventCode=20272 SourceName=RemoteAccess
| rex field=Message ": The user (?<user>\S+) connected on port (?<port>\S+) on (?<cdate>\S+) at (?<ctime>\S+) and disconnected on (?<ddate>\S+) at (?<dtime>\S+).*? active for (?<cmins>\d+) minutes (?<csecs>\d+) seconds"
| eval session_time = cmins*60 + csecs
| stats count by session_time
However, the session time is calculated down to the second - you might want to group the sessions by minute instead...
The following should work
host=* sourcetype="WinEventLog:System" EventCode=20272 SourceName=RemoteAccess
| rex field=Message ": The user (?<user>\S+) connected on port (?<port>\S+) on (?<cdate>\S+) at (?<ctime>\S+) and disconnected on (?<ddate>\S+) at (?<dtime>\S+).*? active for (?<cmins>\d+) minutes (?<csecs>\d+) seconds"
| eval session_time = cmins*60 + csecs
| stats count by session_time
However, the session time is calculated down to the second - you might want to group the sessions by minute instead...
Thank you so much for your answer.
I guess I now need to learn about buckets to set suitable time spans. I do really appreciate your assistance with this.
If you just did
| eval session_time = cmins
You would already be grouping the session time by minutes instead of seconds.