active user session at any given time

lain179 · ‎03-27-2013

Hi,

I would like to draw a chart representing number of active sessions at any given time...probably on a time chart.

The log contains three different type of log lines: Login, Log out and Expire sessions. I have come up with the following search so far, but it's not working well.


sourcetype="Engine" Server="ABC" login OR "log out" OR "removing session" | transaction UserSession | where duration=0 | timechart span=1m count(LoginDate) as in count(LogoutDate) as out count(LoginExpireDate) as expire | streamstats sum(in) as totalin sum(out) as totalout sum(expire) as totalexpire | eval totalactive=totalin-totalout-totalexpire

Thanks.

takeda · ‎03-27-2013

Hi,

Why do you filter the result of transaction command with duration=0?
I think that causes Splunk to return sessions that immediately end after they start.

Maybe "concurrency" command can be used for your purpose.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Concurrency

lain179 · ‎03-28-2013

Not true. If there is a duration, that mean the session has already started and ended and I don't need to count them because they are NOT active. Duration is measured in millisecond, so for any completed sessions, duration will be at least 1.

By filtering for duration = 0, I get three things:
- Login sessions that has not logout or expires yet
- logout session that has a login before the time range specified
- expired session that has a login before the time range specified

And no, concurrency is not what I need.

active user session at any given time

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!