Splunk Search

How to edit my search to calculate total duration for periods with actual events (User activity time)?

aladda_splunk
Splunk Employee
Splunk Employee

Looking for help coming up with search to calculate the total duration there were events in a given time period - essentially a reflection (for the given use case) for how much time the user was actively doing something.

So if user A logged in at 11 am, did 5 things between 11 and 11:01, nothing between 11:01 and 11:03 and then again between 11:03 and 11:04 did 10 things, 11:04 to 11:05 did 3 things, then in total the user was active for 3 out of the 5 mins. Only care about 1 minute granularity.

I'm using transaction with maxpause of 60s to represent "inactivity" for a certain time period and then aggregate "duration" to get active_time

| transaction USER_ID maxpause=65s | stats sum(duration) as dur | eval active_time = dur/60

Looking for other ideas and techniques to approach this.

0 Karma

sundareshr
Legend

How frequently are the events logged and do is active vs inactive determined? Assuming the events logged are only when the user is active, you can try something like this

... | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")

If events are logged for active as well as inactive state, try this

... state="active" | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")**
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...