Hi Splunkers,
I need a search query for browsing time by user. I have one query :
| stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing-time=tostring(session_time, "duration")
| table user,browsing-time,total
Here we cannot take duration. Its duration of all the sessions. I want it for only http/https session(means session spent on browsers/websites). Please help me on this.
hey @jibin1988,
you can try something like this!
<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user
Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!
hey @jibin1988,
you can try something like this!
<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user
Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!
I have field with service=HTTP service=HTTPS. I want to get both http and https.
yeah so in your base query you can write.
index=your_index service=HTTP OR service=HTTPS | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user
Yes. Got it. Thank you. I have given service=HTTP*
hey @jibin1988
you are welcome 🙂
Accept my answer if you feel it's satisfactory!