Hi all. I'm trying to make a gauge that counts the amount of logged on users. Stuck on figuring out how to classify a session as "Open". Once I do this I'd just count the amount of "OPEN SESSIONS"s. (Doing it this way incase the boss prefers a table.)
If MsgId is AUT22670 or AUT24414 the event represent a login. If the MsgId is AUT22673 then the event represents a logout.
Example Events:
User, Date, Time, MsgId
my search..
| eval ID=User | eval LoginDate=Date | eval LoginTime=Time
| eval SESSIONS_STATUS = if((match(User,(?i)ID)) AND (NOT MsgId=AUT22673),"OPEN SESSION","CLOSED SESSION")
Its not working the way I want but am I headed in the right direction?
If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.
sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS
See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup
Your match
command is filtering out all Users except those called "ID", "Id, "id", or "iD" - probably not what you want.
Here is a slightly different approach that may help. Use the dedup
command to get the most recent event for each user then filter out the logout events. What's left will be a list of open sessions.
your search | dedup User | where NOT MsgId==AUT22673 | eval LoginTime=_time | table User LoginTime
This works nicely. Yeah sometimes I get confused and try to attack things on Splunk as I would with a perl script.
Someone showed me this too.
my search...
| transaction User startswith="MsgId=AUT22670 OR MsgId=AUT24414" endswith="MsgId=AUT22673" keeporphans=true
| search linecount=1
Thanks!
If you trust that AUT22670 or AUT24414 without a corresponding AUT22673 represents a logged in user, use dedup to capture only the latest event for each user. Thus if a user has the log off event, you know their session is closed.
sourcetype=my_source (MsgId=AUT22670 OR MsgId=AUT24414 OR MsgId=AUT22673) | dedup User | eval SESSIONS_STATUS=if(MsgId==AUT22673,"CLOSED SESSION","OPEN SESSION") | table User SESSIONS_STATUS
See http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Dedup
Thanks appreciate it!