Splunk Search

How to get a count of unique number of users on server with only login and logout information

Splunkster45
Communicator

I have two types of logs in my files that record when a user logs in and logs out. They are of the form:

Session <number> <user> started
Session <number> ended

Currently, I am able to use create a nifty chart that tells me how many unique logins there are per hour. However, if someone logs in at 11:05 and logs off at 1:15, they are not marked as either being logged on for the 12 o'clock hour or the 1 o'clock hour. One way that I am thinking of doing this would be to have some kind of count variable. This variable increases by one for every unique login (users can log in multiple times and have multiple open sessions) and then decreases when that uses is no longer logged in (has logged off of all sessions). Does anyone have an idea of how to do this?

I know a starting point would be to assume that each user can only log on once, then extrapolate to the above case, however I'm not familiar enough with splunk to write either event. Unfortunately, I'm not familiar enough with splunk to know how to go about this. I've been using the transaction command to get the duration of each session, but I don't think that helps us here.

Thanks in advance!

0 Karma

yannK
Splunk Employee
Splunk Employee

You probably want to extract the login/logon add an increment field with +1 or -1

| rex "(?(started|ended))" | eval increment=case(action="started",1,action="ended",-1,1=1,0)

Then use a streamstats command to sum the increments over the time.

example of similar search
http://answers.splunk.com/answers/153299/bulletproof-approach-for-charting-concurrency-with-split-by...

Another solution is a transaction command and the "concurrency" field, but they have limits and are more costly.
see http://answers.splunk.com/answers/5352/concurrency-count.html

Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...