Splunk Search

How to track state changes for RDP sessions and generate a report show durations with start and end times?

New Member

So I am looking for help, I guess I just found something I can't do with Splunk... and I know I'm wrong, only I can't prove it!
It may be related to me (as I am somehow new to Splunk), so please help. Here goes:

Basically, I have events like:

Time     | SessionId | State
01:00:00 | 7         | Active
01:01:00 | 7         | Disconnected
01:02:00 | 7         | Disconnected
01:03:00 | 7         | Active

What I would like is to generate a report to show actual session durations (with start time and end time), something like this:

Session 7 | State=Active        | Start 01:00:00 | End 01:01:00
Session 7 | State=Disconnected  | Start 01:01:00 | End 01:03:00
Session 7 | State=Active        | Start 01:03:00 | End ....

I tried with streamstats, but no go, and unfortunately I am in a lack of ideas, so any help would be highly appreciated!

0 Karma


Try something like this (this is untested, so you will have to tweak it to get it to work)

your_search | reverse | eval ct=if(match(_raw, "Active"), 1, 0) | streamstats window=1 count(ct) as uid min(_time) as start max(_time) as end by SessionId | table _time SessionId start end State
0 Karma

New Member

Thanks, but ... it won't work.
Let's take the following scenario: Session ID 6 is Active from 01:00:00 to 01:01:00 (1 minute)
It goes in Disconnect from 01:01:00 to 01:03:00 (2 minutes)
It goes back to active from 01:03:00 to 01:10:00 (7 minutes).
What I need is to identify the State change and somehow to measure earliest and latest time for the events until state change, and then go on.... with the rest.
P.S. I already got to a similar result using streamstats, but I tried nevertheless your proposed answer, with no result ...

0 Karma


I didn't think about the start/end for disconnected state. This should do it.

| sort sid | streamstats window=2 earliest(time) as start latest(time) as end by sid | table time sid state start end | eval end=if(end=start, strftime(now(), "%m/%d/%Y %H:%M"), end)
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...