Splunk Search

Is there a way to timechat the number of open sessions given a login and logout event?

DamianS
Explorer

Hi all,

I have login and logout events and I'm trying to plot a graph showing the number of open sessions each minute, my search looks something like this at the moment:
msg="Login" OR msg="Logout" | transaction sesid maxevents=2 maxspan=25h | where duration > 0

Is there any way to timechart the number of transactions that span each minute, so I should see a graph showing how many sessions are open at a given time?

At the moment I am having to export to excel with a list of each minute in the time span in one column and with an "Open Sessions" column adding 1 for each login and subtracting 1 for each logout, then graphing this against time.

Tags (1)
0 Karma

DamianS
Explorer

Right,

I've been working on this again and I think I have something which works really well now:

foo earliest=@w0 | 
transaction sesid |  
eval countlogin=1 | 
append [ search foo earliest=@w0 | 
        transaction sesid | 
        eval countlogin=-1 | eval _time=_time+duration ] |
stats sum(countlogin) AS countlogin  by _time | 
streamstats sum(countlogin) AS runningtotal |
eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") | fields _time, runningtotal

It creates a 1 when a session starts, a -1 when a session ends and then cumulatively sums them over time. You still have to fairly confident that when the query starts there are no open sessions ( I can do that with my tool at the beginning of the week ).


Please ignore all of the below, it was my previous attempt and there are several things wrong with it

By the way, this is the closest I got:

foo earliest=@w0 | transaction sesid keeporphans=true maxspan=13h | concurrency duration=duration | chart max(concurrency) by _time

this produces a nice little graph, there are 2 problems with it, 1 is that it's only very accurate if the start point you know there are 0 open sessions and secondly is that the graph never actually shows there being 0 open sessions.

Neither of these 2 problems were too much of an issue as I just needed to show off shiny graphs to management.

DamianS
Explorer

Another way I've found of doing it if you always have more than 1 login per hour during the day is:

foo earliest=@w0 | transaction sesid keeporphans=true maxspan=13h | concurrency duration=duration | timechart max(concurrency) span=1h

0 Karma

Ayn
Legend

I always think of this blog post when I see these types of questions: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

I hope it proves useful.

DamianS
Explorer

Thanks, this helped a little, following through and I ended up finding several bugs in our application I'm getting the dev team to look over it, haha

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...