Hello Everyone,
Need help in writing a Splunk search that can help me measure the stats correctly. Please note the data is sometimes sent to Splunk more than once due to an error on our server.
Here is an overview: I am interested in knowing for how long a user has been using my application. An event will have user_id, connection state (values are connected, paused, and terminated), session_length, timestamp. The usage of an application for a user can be retrieved from field session_length.
When the user is either in paused or terminated state, it would contain a session length value. If the user state contains connected, paused, and terminated for a sequence, then the session length should be derived from terminated state, else the session length should be computed from paused state.
Unfortunately, the paused and terminated data is sent more than once to the server. I would like to filter such data.
The sample data is written below.
Consideration --> If for a sequence of events for that user, the terminated/paused state is reported twice, then use the oldest session length for that sequence.
Sample Data
User1 Terminated session_length=13 timestamp=10.13.
User1 Terminated session_length=11 timestamp=10.11.
User1 Paused session_length=10 timestamp=10.10
User1 Connected timestamp=10.00
--
User1 Paused session_length=5 timestamp=9.05
User1 Connected timestamp=9.00
--
User2 Terminated session_length=13 timestamp=10.13.
User2 Terminated session_length=11 timestamp=10.11.
User2 Paused session_length=10 timestamp=10.10
User2 Connected timestamp=10.00
--
User1 Terminated session_length=6 timestamp=9.06
User1 Connected timestamp=8.00
--
For the sample data set above, I have used the delimiter --
to filter the sequences and explain how the duration will be calculated. 1) For the User1 ( from top to bottom ), consider the first sequence . User state is connected, paused, terminated,Terminated. So its session length 11 ( consider the earliest reported session length ). 2) For User 1 , sequence 2 , the user state is connected, paused. So its session length - 5 3) For user 2 , sequence 2, the User2 states are connected, paused, terminated, terminated. Its session length - 11. 4) For User 1 , sequence 4 , the user state is connected, terminated. Its session length is 6
The Splunk search should report, a sum of session lengths per user which is:
User_Id TotalSessionLength
User1 22
User2 11
I appreciate your response.
Thank you
you could probably take the difference between two fields?