×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ajebakumar
Loves-to-Learn
Member since: ‎01-20-2021
‎01-20-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-20-2021
Activity Feed
Topics I've Started
View All

Get Currently logged in Users

by in Splunk Search
‎01-20-2021 02:51 AM
‎01-20-2021 02:51 AM
Hi,  I am building a dashboard for my application being monitored in Splunk. As part of this i am getting the timestamp  of the latest login and latest logout . Below is a Sample output i am getting with the query i have built (Query provided below). The Output i am looking in this case is AAA & CCC as RMID. Kindly suggest RMID          LTIME                                                        OTIME AAA           19-01-2021 10:55:32:002                19-01-2021 08:32:32:001 BBB           19-01-2021 11:50:12:002                19-01-2021 12:52:32:001 CCC           19-01-2021 10:55:32:002                 Below is the search query i have index="XXX" kubernetes_namespace="uat" LoginStatus IN ("Authentication Success") | eventstats max(AuthenticationTime) as LoginTime  by RMID     |append  [search index="" kubernetes_namespace="uat" LoginStatus IN ("Logout Success") | eventstats max(AuthenticationTime) as LogoutTime  by RMID] |eventstats values(LoginTime) AS LTime, values(RMID) as RMID, values(LogoutTime) AS OTime | table  RMID, LTime, OTime | dedup RMID |eval  LoggedInTime = strptime(LoginTime,"%Y-%m-%d %H:%M:%S.%N") | eval  LoggedOutTime = strptime(OTime,"%Y-%m-%d %H:%M:%S.%N")       ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-20-2021 08:56 AM