Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search for total browsing time by user

jibin1988
Path Finder
‎12-12-2017 10:06 PM

Hi Splunkers,

I need a search query for browsing time by user. I have one query :

| stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing-time=tostring(session_time, "duration")
| table user,browsing-time,total

Here we cannot take duration. Its duration of all the sessions. I want it for only http/https session(means session spent on browsers/websites). Please help me on this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎12-12-2017 10:28 PM

hey @jibin1988,
you can try something like this!

<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user

Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎12-12-2017 10:28 PM

hey @jibin1988,
you can try something like this!

<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user

Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!

Reply
Solved! Jump to solution

jibin1988
Path Finder
‎12-12-2017 10:44 PM

I have field with service=HTTP service=HTTPS. I want to get both http and https.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎12-12-2017 10:47 PM

yeah so in your base query you can write.

index=your_index service=HTTP OR service=HTTPS | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
 | eval browsing_time=tostring(session_time, "duration")
 | stats values(browsing_time) as browsing_time values(total) as total by user
0 Karma
Reply
Solved! Jump to solution

jibin1988
Path Finder
‎12-12-2017 10:52 PM

Yes. Got it. Thank you. I have given service=HTTP*

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎12-12-2017 10:56 PM

hey @jibin1988
you are welcome 🙂
Accept my answer if you feel it's satisfactory!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...