Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

resetting a counter for each day

bochmann
Path Finder
‎06-26-2012 10:43 PM

I try to count the maximum of concurrent sessions on a system where the data I have are login and logout events. I'm using eval() - something I found in another post here, incrementing a counter when someone logs in, and decrementing on a logout. Looks like this:

eval count=if
(id="login",1,-1) | sort + _time | accum count as activeusers | timechart span=1d max(activeusers)

This seems to work in general, but obviously the data is slightly inconsistent - I don't have 0 users at the end of the day. The errors add up over time so that the end result is rather useless.

I know that having consistent data would be more useful, but I can't correct that at this time. So I'm looking for a way to have my counter start at zero on each day. Any idea how to do that (or solve the problem somehow completely different in a better way)?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 09:44 AM

I think this will do it:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers

That will show you the chart day-by-day but if you just need the max out of all days, do this:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers | stats max(activeusers)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2015 01:20 PM

Did this work?

0 Karma
Reply

bochmann
Path Finder
‎06-26-2012 11:47 PM

For now I just need the maximum of concurrent sessions for each day (which is a metric for the licensing on the system - so I'd like to get a view on how that develops over time, and get an early warning when I might need additional licenses).
I thought that's what I would get by charting max(activeusers) in this case. A more fine resolution would be nice, but is not required.

0 Karma
Reply

Ayn
Legend
‎06-26-2012 11:19 PM

Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...