Splunk Search

resetting a counter for each day

bochmann
Path Finder

I try to count the maximum of concurrent sessions on a system where the data I have are login and logout events. I'm using eval() - something I found in another post here, incrementing a counter when someone logs in, and decrementing on a logout. Looks like this:

eval count=if
(id="login",1,-1) | sort + _time | accum count as activeusers | timechart span=1d max(activeusers)

This seems to work in general, but obviously the data is slightly inconsistent - I don't have 0 users at the end of the day. The errors add up over time so that the end result is rather useless.

I know that having consistent data would be more useful, but I can't correct that at this time. So I'm looking for a way to have my counter start at zero on each day. Any idea how to do that (or solve the problem somehow completely different in a better way)?

Tags (3)
0 Karma

woodcock
Esteemed Legend

I think this will do it:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers

That will show you the chart day-by-day but if you just need the max out of all days, do this:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers | stats max(activeusers)
0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma

bochmann
Path Finder

For now I just need the maximum of concurrent sessions for each day (which is a metric for the licensing on the system - so I'd like to get a view on how that develops over time, and get an early warning when I might need additional licenses).
I thought that's what I would get by charting max(activeusers) in this case. A more fine resolution would be nice, but is not required.

0 Karma

Ayn
Legend

Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...