Splunk Search

Session duration calculates the wrong time (cant work out why)

Communicator

............. | rex field=user mode=sed "s/./ /g"
| eval user=lower(user)
| eval date_hour=strftime(_time, "%H")| search date_hour>=4 date_hour<=23
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, user
| eval session_duration=logout-login
| eval h=floor(session_duration/3600)
| eval m=floor((session_duration-(h*3600))/60)
| eval SessionDuration=h."h ".m."m "
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) as session_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, user
| sort + user

0 Karma

SplunkTrust
SplunkTrust
| eval SessionDuration=h."h ".m."m " 
....
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) as session_duration, ....

First eval makes SessionDuration strings
therefore, |stats max() can't work.

0 Karma