- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way to timechat the number of open sess...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to timechat the number of open sessions given a login and logout event?
Hi all,
I have login and logout events and I'm trying to plot a graph showing the number of open sessions each minute, my search looks something like this at the moment:
msg="Login" OR msg="Logout" | transaction sesid maxevents=2 maxspan=25h | where duration > 0
Is there any way to timechart the number of transactions that span each minute, so I should see a graph showing how many sessions are open at a given time?
At the moment I am having to export to excel with a list of each minute in the time span in one column and with an "Open Sessions" column adding 1 for each login and subtracting 1 for each logout, then graphing this against time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right,
I've been working on this again and I think I have something which works really well now:
foo earliest=@w0 |
transaction sesid |
eval countlogin=1 |
append [ search foo earliest=@w0 |
transaction sesid |
eval countlogin=-1 | eval _time=_time+duration ] |
stats sum(countlogin) AS countlogin by _time |
streamstats sum(countlogin) AS runningtotal |
eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") | fields _time, runningtotal
It creates a 1 when a session starts, a -1 when a session ends and then cumulatively sums them over time. You still have to fairly confident that when the query starts there are no open sessions ( I can do that with my tool at the beginning of the week ).
Please ignore all of the below, it was my previous attempt and there are several things wrong with it
By the way, this is the closest I got:
foo earliest=@w0 | transaction sesid keeporphans=true maxspan=13h | concurrency duration=duration | chart max(concurrency) by _time
this produces a nice little graph, there are 2 problems with it, 1 is that it's only very accurate if the start point you know there are 0 open sessions and secondly is that the graph never actually shows there being 0 open sessions.
Neither of these 2 problems were too much of an issue as I just needed to show off shiny graphs to management.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way I've found of doing it if you always have more than 1 login per hour during the day is:
foo earliest=@w0 | transaction sesid keeporphans=true maxspan=13h | concurrency duration=duration | timechart max(concurrency) span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I always think of this blog post when I see these types of questions: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
I hope it proves useful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this helped a little, following through and I ended up finding several bugs in our application I'm getting the dev team to look over it, haha
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
