Splunk Search

How to find the time duration between logins

dbcase
Motivator

Hi,

I have a fun one.... fun being the operative word 🙂 I have data that looks like the below when someone logs in. I've extracted out the exr value which is unique when a customer logs in. What I'd like to do is track the time duration between 1 login for a customer and the next.

example. customer with exr of exr395164 logs in at 1:10 pm does some things then logs out, then logs in again at 2:15 pm. I'd like to calculate the 1:05 min and then get an average of all customer times between logins.

Any things?

{   [-] 
     Properties:    {   [-] 
         args:  [   [-] 
         {"accountId":"exr395164","customerId":"3555"}  
        ]   
         category:   Event  
         index:  1  
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DXFMTCJ-BGKVKYL    
}
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Use streamstats.

your query that gets all the logins
| sort 0 _time 
| bin _time as day span=1d
| streamstats current=f last(_time) as lasttime by customer day
| eval duration= _time - lasttime

Now you have your duration between logins. How to calculate the average depends on what you mean.

This is the average time between logins, averaged on a login basis.

| stats avg(duration) as duration

This is the average time between logins, averaged on a customer basis.

| stats avg(duration) as duration by customer
| stats avg(duration) as duration

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Use streamstats.

your query that gets all the logins
| sort 0 _time 
| bin _time as day span=1d
| streamstats current=f last(_time) as lasttime by customer day
| eval duration= _time - lasttime

Now you have your duration between logins. How to calculate the average depends on what you mean.

This is the average time between logins, averaged on a login basis.

| stats avg(duration) as duration

This is the average time between logins, averaged on a customer basis.

| stats avg(duration) as duration by customer
| stats avg(duration) as duration
0 Karma

dbcase
Motivator

Hi DalJeanis,

That is pretty slick..... Now I can glue back the clumps of hair 🙂 One quick (hopefully) question..... the duration is in seconds?

DalJeanis
SplunkTrust
SplunkTrust

@dbcase - yes, epoch time is in seconds, so subtracting two epoch times gives you an answer in seconds.

0 Karma

dbcase
Motivator

Thank you!!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...