Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

resetting a counter for each day

bochmann
Path Finder
‎06-26-2012 10:43 PM

I try to count the maximum of concurrent sessions on a system where the data I have are login and logout events. I'm using eval() - something I found in another post here, incrementing a counter when someone logs in, and decrementing on a logout. Looks like this:

eval count=if
(id="login",1,-1) | sort + _time | accum count as activeusers | timechart span=1d max(activeusers)

This seems to work in general, but obviously the data is slightly inconsistent - I don't have 0 users at the end of the day. The errors add up over time so that the end result is rather useless.

I know that having consistent data would be more useful, but I can't correct that at this time. So I'm looking for a way to have my counter start at zero on each day. Any idea how to do that (or solve the problem somehow completely different in a better way)?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 09:44 AM

I think this will do it:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers

That will show you the chart day-by-day but if you just need the max out of all days, do this:

eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers | stats max(activeusers)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2015 01:20 PM

Did this work?

0 Karma
Reply

bochmann
Path Finder
‎06-26-2012 11:47 PM

For now I just need the maximum of concurrent sessions for each day (which is a metric for the licensing on the system - so I'd like to get a view on how that develops over time, and get an early warning when I might need additional licenses).
I thought that's what I would get by charting max(activeusers) in this case. A more fine resolution would be nice, but is not required.

0 Karma
Reply

Ayn
Legend
‎06-26-2012 11:19 PM

Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...