I am trying to gather average login session times for a server given multiple users logon and logoff log entries. I am using ossec to filter the logs first so standard windows fields may not apply, but I have extracted the user field (called "user").
I am not really sure where to start since I cannot seem to figure out how to gather average user session times for any time period given there are multiple users.
Any ideas?
If you have the events that indicate logon and logoff, you could build a transaction and then grab the duration, a la:
YourSearch | transaction Username startswith=LogonEventID endswith=LogoffEventID
| eval DurationInMin = round(duration/60,2)
| stats avg(DurationInMin) as "Average Session Duration (Minutes)" by Username
http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction
If you have the events that indicate logon and logoff, you could build a transaction and then grab the duration, a la:
YourSearch | transaction Username startswith=LogonEventID endswith=LogoffEventID
| eval DurationInMin = round(duration/60,2)
| stats avg(DurationInMin) as "Average Session Duration (Minutes)" by Username
http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction
Also, if there is a session ID (often there is not), it is probably more efficient (and definitely more scalable) to do: YourSearch | stats range(_time) as sessiondur by sessionID,Username | stats sum(sessiondur) as user_total_dur by Username
instead.
Minor thing I'd do is only round after taking the average: `... | stats avg(DurationInMin) as avgdur by Username | eval avgdur=round(avgdur/60,2) | rename avgdur as "Average Session Duration (Minutes)".
Thanks David, I can't beleive that have never noticed the transaction command.