Splunk Search

Tracking active sessions over time

ajtokar
Engager

I have a query where I can see in a snapshot current active users per VPN profile (group). Having a hard time being able to plot number of active sessions on a timechart. The timecharts I make show me number of new connections, which is not what I am after. I am after seeing the total number of active connections per VPN profile (group) every 10 minutes for example. 

SPL: 

index=vpn_index message_id IN (113039 113019) group IN (ABC* XYZ* DEF* UVW*)
| transaction Username keepevicted=true startswith="113039" endswith="113019"
| eval session-status=if(closed_txn==1,"Completed","In Progress")
| search message_id="113039"
| fields src, _time, session-status, Username
| search session-status="In Progress"
| rename group as "VPN Profile"
| stats count as "Active Sessions" by "VPN Profile"

Any help is appreciated!

- Adam

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If sessions start with 113039 and end with 113019, you could assign a field with 1  for 113039 events and -1 for 113019 events then sum the field over 10 minutes periods (timechart span=10m sum(field) as active). A bit crude as it doesn't take into account active sessions when the time period starts, but you might be able to do something about that if you calculate how many ends you have which didn't have starts (assuming you can identify these by username or something like that).

ajtokar
Engager

Thank you for the reply. That's very clever and took me a minute to grasp it will be a "running total" of the number of sessions, however as you stated that is somewhat compounded by the fact is is never truly 0.

 

Thanks,

Adam

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...