Splunk Search

How to calculate Splunk session for a user ?

vikas_gopal
Builder

Hi Experts,

I want to create a report for last 24 hours which provides the information like how many hours users was on splunk in past 24 hours , or in other words how many hours user spent on Splunk .

Output will be like

User            Number of hours 
Admin                  10
test                    5
abc                     6

Regards
VG

Tags (1)
0 Karma

adonio
Ultra Champion

i think, and i might be wrong, that splunk does not record a logoff event, so its not an easy task ...
you can search the _audit and _internal indexes to check on users and what they are doing as well as logon time
here are couple answers around this topic:
https://answers.splunk.com/answers/226555/how-to-find-how-many-users-are-logged-into-splunk.html
https://answers.splunk.com/answers/3768/how-do-you-find-out-who-is-logged-onto-splunk-right-now.html

hope it helps

0 Karma

vikas_gopal
Builder

Thank you Adonio for your quick response and you are absolutely correct from single index it is not possible so i have checked both _internal and _audit and I have prepared below query . Somehow this is not working any help here please

index=_audit sourcetype=audittrail user=admin action=log*  |dedup action, user|append [|search index=_internal sourcetype=splunk_web_service user=admin action=log* | stats count by user action status] |transaction user startswith=eval(action="login attempt") endswith=eval(action="logout") | table  user action status info duration
0 Karma

adonio
Ultra Champion

i can help you with the query, but i suspect it wont be useful as splunk captures a "logout" event only when you click logout. if you close your tab, or let the session timeout, i suspect splunk will not record it.
another reason it will be tough to sum up the duration of session is that you dont have a unique session / transaction id to group by. so for every user that logs in more then one time, it gets pretty challenging

0 Karma

vikas_gopal
Builder

Totally agreed , I have observed the same with the data. Well thanks for all the efforts , I will keep this question as unanswered . Let's see what others think about this .

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...