I created csv files as u suggested :
username, ipaddress, logintime, logouttime
user1, 20.20.20.20, 11/3/2015 12:00:00, 11/3/2015 12:05:00
user2, 20.20.20.20, 11/3/2015 12:10:00, 11/3/2015 12:50:00
user1, 30.30.30.30, 11/3/2015 11:40:00, 11/3/2015 11:55:00
Clientid, hits, time, domain
20.20.20.20, 2, 11/3/2015 12:02:00, fb.com
20.20.20.20, 3, 11/3/2015 12:02:00, fb.com
30.30.30.30, 5, 11/3/2015 11:45:00, boo.com
i uploaded them into splunk under index=ib_test_sample
This is the query
index="ib_test_sample" sourcetype="csv"|eval ClientId=coalesce(Clientid,ipaddress)| fields ClientId, username, domain, time, hits,logintime,logouttime| eval start_time=strptime(logintime, "%m/%d/%Y %H:%M:%S")| eval end_time=strptime(logouttime, "%m/%d/%Y %H:%M:%S") |eval dns_time=strptime(time, "%m/%d/%Y %H:%M:%S")|streamstats values(username) AS user by ClientId|stats sum(hits) AS total by user, ClientId, domain| table user, ClientId, total,dns_time,start_time,end_time
i havent added time where time is between logintime and logout time yet sinc e this is not working.
The result I get is
user ClientId total dns_time start_time end_time
user2 20.20.20.20 5
The time fields are not displayed and the result just has 1 entry which is incorrect.
... View more