Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats sum(duration) by user date_month date_year - Not really Addition of duration?

starks951
Explorer
‎09-19-2010 01:33 AM

Splunkers... I am looking at a VPN logs from a Cisco ASA and trying to calculate the amount of time per day per user that a user spends logged into the VPN. I can run the following and the output looks right:

asa_logid="%ASA-6-602303" OR asa_logid="%ASA-6-602304" outbound sourcetype="syslog" earliest=-10d@d latest=+1d@d
| transaction startswith="has been created" endswith="has been deleted" by vpn_session

What I get in output is an event that is started and ended properly by the vpn_session id(an extracted value from the log) but user. I also get a value called duration (which seems to be the length of the event in seconds). Thus I figured I could sum the duration by user by date_month like below:

asa_logid="%ASA-6-602303" OR asa_logid="%ASA-6-602304" outbound sourcetype="syslog" source="/var/log/hosts/172.30.64.2/messages.log" earliest=-10d@d latest=+1d@d
| transaction startswith="has been created" endswith="has been deleted" by vpn_session
| stats sum(duration) by vpn_user date_month date_year

However this summation shows people logged into the VPN for hundreds of hours per day... clearly not possible...

What am I doing wrong here?

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-20-2010 04:17 PM

Your search syntax looks right, and the stats should calculate the sum of the duration field. You should note that your stats is calculating the total duration for the month, not for the day, so it's not unreasonable for it to be greater than 86,400s.

Another possibility is that vpn_user has become a multivalued field and certain sessions are counting against multiple users.

I'd pipe the output of transaction to stats sum(duration) count to see what the total duration and number of sessions is, as a sanity check.

Reply

starks951
Explorer
‎09-23-2010 05:10 PM

I don't have any issues getting the month day, the problem is that the two events that make up the transaction have two different month days. How do I get it to evaluation only ONE of them.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-20-2010 09:31 PM

You can explicitly compute the equivalent of date_mday using eval: "... | eval mday = strftime(_time, "%m")"

0 Karma
Reply

starks951
Explorer
‎09-20-2010 06:56 PM

Ok... so I ran some MORE analysis... and it looks like date_mday is a multi-value field (for those events that last over the break in the day, ie start at 1130pm and end at 0200am). At which point we are counting this event on BOTH days..

Going to have to figure out how to only report that ONCE.

Thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...