Splunk Search

Search for total browsing time by user

jibin1988
Path Finder

Hi Splunkers,

I need a search query for browsing time by user. I have one query :

| stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing-time=tostring(session_time, "duration")
| table user,browsing-time,total

Here we cannot take duration. Its duration of all the sessions. I want it for only http/https session(means session spent on browsers/websites). Please help me on this.

0 Karma
1 Solution

mayurr98
Super Champion

hey @jibin1988,
you can try something like this!

<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user

Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!

View solution in original post

mayurr98
Super Champion

hey @jibin1988,
you can try something like this!

<you_need_to_add_something_which_will_filter_out_http/https_session> | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
| eval browsing_time=tostring(session_time, "duration")
| stats values(browsing_time) as browsing_time values(total) as total by user

Your base search should filter events for http/https websites/browers..if you have a field that contains these type of events then you can use that field to filter in your base search.If the field is not present then you can extract such events and then apply filter! if you provite some sample event then I can tell you more about it.
Let me know if it helps you!

jibin1988
Path Finder

I have field with service=HTTP service=HTTPS. I want to get both http and https.

0 Karma

mayurr98
Super Champion

yeah so in your base query you can write.

index=your_index service=HTTP OR service=HTTPS | stats sum(duration) AS session_time sum(sentbyte) as sent sum(rcvdbyte) as received sum(bytes) as total by user
 | eval browsing_time=tostring(session_time, "duration")
 | stats values(browsing_time) as browsing_time values(total) as total by user
0 Karma

jibin1988
Path Finder

Yes. Got it. Thank you. I have given service=HTTP*

0 Karma

mayurr98
Super Champion

hey @jibin1988
you are welcome 🙂
Accept my answer if you feel it's satisfactory!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...