I have a file like this:
Thu Mar 7 15:09:22,admin,login
Thu Mar 7 17:46:21,admin,login
Thu Mar 7 18:01:33,admin,logout
Thu Mar 7 18:17:23,1111,login
Thu Mar 7 18:37:02,admin,login
Thu Mar 7 19:00:02,admin,logout
Thu Mar 7 19:05:21,admin,logout
Thu Mar 7 20:51:23,1111,logout
Thu Mar 7 21:10:45,admin,logout
I want to plot a timechart of open sessions per each user in the log file. Having read this
and this discussions, I wrote this query:
source="Accounting01" | eval Diff=if(Action="login", 1, if(Action="logout", -1, 0)) | bin _time | stats sum(Diff) as OpenSessions by _time User_Name | streamstats sum(OpenSessions) as OpenSessions by User_Name | eval Str_Time=strftime(_time, "%d-%m-%Y %H:%M:%S") | chart max(OpenSessions) as "Open sessions" by User_Name, Str_Time
This is how it looks now:
The problem is that some of the data is not shown, e. g. there is seemingly 0 sessions for admin between 18:00 and 18:35 while from the data it is obvious that they were logged in the whole time. Same with 1111 : they should have 1 session for every point in time until they log out. It is more obviously reflected in the tabular version of the data:
Is it possible to alter the query so that the running sum per each user is stored per each event, even if it is 0 the whole time?
inputs.conf :
disabled = false
sourcetype = Acc01
source = Accounting01
props.conf :
REPORT-rep = Acc01_Fields
TRANSFORMS-skip = Skip_Header
transforms.conf :
DELIMS = ","
FIELDS = "Time", "User_Name", "Action"
REGEX = Time,
DEST_KEY = queue
FORMAT = nullQueue
... View more