Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a search using my sample data to find how long a user has been using my application?

splunkuser1982
New Member
‎02-16-2016 11:06 AM

Hello Everyone,

Need help in writing a Splunk search that can help me measure the stats correctly. Please note the data is sometimes sent to Splunk more than once due to an error on our server.

Here is an overview: I am interested in knowing for how long a user has been using my application. An event will have user_id, connection state (values are connected, paused, and terminated), session_length, timestamp. The usage of an application for a user can be retrieved from field session_length.

When the user is either in paused or terminated state, it would contain a session length value. If the user state contains connected, paused, and terminated for a sequence, then the session length should be derived from terminated state, else the session length should be computed from paused state.

Unfortunately, the paused and terminated data is sent more than once to the server. I would like to filter such data.

The sample data is written below.

Consideration --> If for a sequence of events for that user, the terminated/paused state is reported twice, then use the oldest session length for that sequence.

Sample Data

User1 Terminated session_length=13 timestamp=10.13.
User1 Terminated session_length=11 timestamp=10.11.
User1 Paused     session_length=10 timestamp=10.10
User1 Connected                    timestamp=10.00
--
User1 Paused     session_length=5  timestamp=9.05
User1 Connected                    timestamp=9.00
--
User2 Terminated session_length=13 timestamp=10.13.
User2 Terminated session_length=11 timestamp=10.11.
User2 Paused     session_length=10 timestamp=10.10
User2 Connected                    timestamp=10.00
--
User1 Terminated session_length=6  timestamp=9.06
User1 Connected                    timestamp=8.00
--

For the sample data set above, I have used the delimiter -- to filter the sequences and explain how the duration will be calculated. 1) For the User1 ( from top to bottom ), consider the first sequence . User state is connected, paused, terminated,Terminated. So its session length 11 ( consider the earliest reported session length ). 2) For User 1 , sequence 2 , the user state is connected, paused. So its session length - 5 3) For user 2 , sequence 2, the User2 states are connected, paused, terminated, terminated. Its session length - 11. 4) For User 1 , sequence 4 , the user state is connected, terminated. Its session length is 6

The Splunk search should report, a sum of session lengths per user which is:

User_Id    TotalSessionLength
User1      22 
User2      11

I appreciate your response.

Thank you

0 Karma
Reply

splunknewbie420
New Member
‎03-16-2016 07:32 AM

you could probably take the difference between two fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...