Splunk Search

How to get a count of unique number of users on server with only login and logout information

Splunkster45
Communicator

I have two types of logs in my files that record when a user logs in and logs out. They are of the form:

Session <number> <user> started
Session <number> ended

Currently, I am able to use create a nifty chart that tells me how many unique logins there are per hour. However, if someone logs in at 11:05 and logs off at 1:15, they are not marked as either being logged on for the 12 o'clock hour or the 1 o'clock hour. One way that I am thinking of doing this would be to have some kind of count variable. This variable increases by one for every unique login (users can log in multiple times and have multiple open sessions) and then decreases when that uses is no longer logged in (has logged off of all sessions). Does anyone have an idea of how to do this?

I know a starting point would be to assume that each user can only log on once, then extrapolate to the above case, however I'm not familiar enough with splunk to write either event. Unfortunately, I'm not familiar enough with splunk to know how to go about this. I've been using the transaction command to get the duration of each session, but I don't think that helps us here.

Thanks in advance!

0 Karma

yannK
Splunk Employee
Splunk Employee

You probably want to extract the login/logon add an increment field with +1 or -1

| rex "(?(started|ended))" | eval increment=case(action="started",1,action="ended",-1,1=1,0)

Then use a streamstats command to sum the increments over the time.

example of similar search
http://answers.splunk.com/answers/153299/bulletproof-approach-for-charting-concurrency-with-split-by...

Another solution is a transaction command and the "concurrency" field, but they have limits and are more costly.
see http://answers.splunk.com/answers/5352/concurrency-count.html

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...