Splunk Search
Highlighted

How to edit my search to calculate total duration for periods with actual events (User activity time)?

Splunk Employee
Splunk Employee

Looking for help coming up with search to calculate the total duration there were events in a given time period - essentially a reflection (for the given use case) for how much time the user was actively doing something.

So if user A logged in at 11 am, did 5 things between 11 and 11:01, nothing between 11:01 and 11:03 and then again between 11:03 and 11:04 did 10 things, 11:04 to 11:05 did 3 things, then in total the user was active for 3 out of the 5 mins. Only care about 1 minute granularity.

I'm using transaction with maxpause of 60s to represent "inactivity" for a certain time period and then aggregate "duration" to get active_time

| transaction USER_ID maxpause=65s | stats sum(duration) as dur | eval active_time = dur/60

Looking for other ideas and techniques to approach this.

0 Karma
Highlighted

Re: How to edit my search to calculate total duration for periods with actual events (User activity time)?

Legend

How frequently are the events logged and do is active vs inactive determined? Assuming the events logged are only when the user is active, you can try something like this

... | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")

If events are logged for active as well as inactive state, try this

... state="active" | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")**
0 Karma