Hi all,
So I'm working with log files, and here's a sample entry,
8:09:03 IN: "field1" "user1"
8:09:04 IN: "field2" "user2"
8:09:20 OUT: "field1" "user2"
8:09:25 OUT: "field1" "user1"
8:12:03 IN: "field1" "user1"
8:13:03 OUT: "field1" "user1"
etc...
(the time is inside the event as well)
What I want to do is compare the amount of time that the user is online when and only if field1 is the same. Ie. for the above example, user1 is online for 1 minute and 22 seconds (in total) .
As you can see, sometimes the events do not occur consecutively to each other. (see bold) So based upon the time stamp, I want to see the next time it ends.
Lastly, I want to chart this so that the chart will display when the user is online throughout a day and when they're not online.
Thanks.
Ps, I'm quite new at splunk, please provide a lot of detail.
... View more