Hello,
I would like to know if it's possible with Splunk to know the connection time of each user by day or month for example.
Thanks.
You could try this:
yoursearchere |
transaction username ip startswith="Start connection." endswith="End connection" |
stats sum(duration) as TimeOnline by username |
fieldformat TimeOnline = tostring(TimeOnline,"duration")
However, if you have a large number of users who login in one day, the transaction command may not work well. But try this and see...
To count the number of connections per user:
yoursearchere |
eval transactionEnd=0 |
eval transactionEnd=case(match(_raw,".*end connection 1.*"),1,
match(_raw,".*end connection 2.*"),1)
transaction username ip startswith="Start connection."
endswith=eval(transactionEnd==1) |
stats count as numberOfConnections by username
Although a month may be too long of a timespan for the transaction command... If so, you might consider using a summary index to collect the daily info (number of Connections and TimeOnline)
yoursearchere |
eval transactionEnd=0 |
eval transactionEnd=case(match(_raw,".*end connection 1.*"),1,
match(_raw,".*end connection 2.*"),1)
transaction username ip startswith="Start connection."
endswith=eval(transactionEnd==1) |
stats sum(duration) as TimeOnline by username |
fieldformat TimeOnline = tostring(TimeOnline,"duration")
That may help. The match function is case sensitive, so be exact!