Splunk Search

How to get a count of unique number of users on server with only login and logout information

Splunkster45
Communicator

I have two types of logs in my files that record when a user logs in and logs out. They are of the form:

Session <number> <user> started
Session <number> ended

Currently, I am able to use create a nifty chart that tells me how many unique logins there are per hour. However, if someone logs in at 11:05 and logs off at 1:15, they are not marked as either being logged on for the 12 o'clock hour or the 1 o'clock hour. One way that I am thinking of doing this would be to have some kind of count variable. This variable increases by one for every unique login (users can log in multiple times and have multiple open sessions) and then decreases when that uses is no longer logged in (has logged off of all sessions). Does anyone have an idea of how to do this?

I know a starting point would be to assume that each user can only log on once, then extrapolate to the above case, however I'm not familiar enough with splunk to write either event. Unfortunately, I'm not familiar enough with splunk to know how to go about this. I've been using the transaction command to get the duration of each session, but I don't think that helps us here.

Thanks in advance!

0 Karma

yannK
Splunk Employee
Splunk Employee

You probably want to extract the login/logon add an increment field with +1 or -1

| rex "(?(started|ended))" | eval increment=case(action="started",1,action="ended",-1,1=1,0)

Then use a streamstats command to sum the increments over the time.

example of similar search
http://answers.splunk.com/answers/153299/bulletproof-approach-for-charting-concurrency-with-split-by...

Another solution is a transaction command and the "concurrency" field, but they have limits and are more costly.
see http://answers.splunk.com/answers/5352/concurrency-count.html

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...