Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to track state changes for RDP sessions and generate a report show durations with start and end times?

sergiupopescu
New Member
‎12-10-2015 04:19 AM

So I am looking for help, I guess I just found something I can't do with Splunk... and I know I'm wrong, only I can't prove it!
It may be related to me (as I am somehow new to Splunk), so please help. Here goes:

Basically, I have events like:

Time     | SessionId | State
01:00:00 | 7         | Active
01:01:00 | 7         | Disconnected
01:02:00 | 7         | Disconnected
01:03:00 | 7         | Active

What I would like is to generate a report to show actual session durations (with start time and end time), something like this:

Session 7 | State=Active        | Start 01:00:00 | End 01:01:00
Session 7 | State=Disconnected  | Start 01:01:00 | End 01:03:00
Session 7 | State=Active        | Start 01:03:00 | End ....

I tried with streamstats, but no go, and unfortunately I am in a lack of ideas, so any help would be highly appreciated!

0 Karma
Reply

sundareshr
Legend
‎12-10-2015 06:19 AM

Try something like this (this is untested, so you will have to tweak it to get it to work)

your_search | reverse | eval ct=if(match(_raw, "Active"), 1, 0) | streamstats window=1 count(ct) as uid min(_time) as start max(_time) as end by SessionId | table _time SessionId start end State
0 Karma
Reply

sergiupopescu
New Member
‎12-10-2015 06:39 AM

Thanks, but ... it won't work.
Let's take the following scenario: Session ID 6 is Active from 01:00:00 to 01:01:00 (1 minute)
It goes in Disconnect from 01:01:00 to 01:03:00 (2 minutes)
It goes back to active from 01:03:00 to 01:10:00 (7 minutes).
What I need is to identify the State change and somehow to measure earliest and latest time for the events until state change, and then go on.... with the rest.
P.S. I already got to a similar result using streamstats, but I tried nevertheless your proposed answer, with no result ...

0 Karma
Reply

sundareshr
Legend
‎12-10-2015 12:12 PM

I didn't think about the start/end for disconnected state. This should do it. 

| sort sid | streamstats window=2 earliest(time) as start latest(time) as end by sid | table time sid state start end | eval end=if(end=start, strftime(now(), "%m/%d/%Y %H:%M"), end)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...