- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you help me create a search that would return ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me create a search that would return the number of user sessions in IIS Logs?
What is the best way to determine the number of sessions from IIS logs using search?
Fields include:
date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
I am trying to figure out the number of sessions occurred by all users on any given day thus we'll only need to run this search once a day. It would also be helpful to create monthly charts with day increments and yearly with month increments.
I want a session to be ended if the next "view" is 30 minutes away.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order for us to answer, we'd have to know what you meant by "count number of sessions."
Are you looking for the number of sessions any particular user has established in a day?
Are you looking for the number of simultaneous sessions that a machine was servicing at each 1m increment of the day?
Are you looking for the number of NEW sessions that were started in any particular half-hour increment?
The answer to this kind of question always begins with "what are you trying to achieve?"
If you are looking to identify how many concurrent sessions are occurring, then this might be a good one to look at...
https://answers.splunk.com/answers/246301/concurrent-users-per-time-bucket-from-transactions.html
This one also has a good general solution for calculating concurrency...
https://answers.splunk.com/answers/513002/how-to-graph-sum-of-overlapping-values-given-start.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to figure out the number of sessions occurred by all users on any given day thus we'll only need to run this search once a day. It would also be helpful to create monthly charts with day increments and yearly with month increments.
Thanks for the suggestions and response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have got to help us help you. What in your data constitutes a session? Show us sample events that can be combined into a session.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2018-09-20 06:20:37 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 jsmith 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:20:45 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 ajones 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:21:40 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 jsmith 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:22:05 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 ajones 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:22:10 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 jsmith 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:59:37 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 jsmith 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 06:59:45 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 ajones 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 07:04:13 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 jsmith 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
2018-09-20 07:05:45 10.10.20.10 GET /SitePages/Forms/AllPages.aspx - 443 ajones 10.0.10.20 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;
This would be considered 4 sessions that occurred on 9/20 according to a user, but we just need the number of sessions in general on our site, so this would return a count of 4.
1. jsmith 06:20:37 - 06:22:10
2. ajones 06:20:45 - 06:22:05
3. jsmith 06:59:37 - 07:04:13
4. ajones 06:59:45 - 07:05:45
Sessions would end because the nearest activity is 30 minutes away from the previous.
I hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: followed this and looks good for my needs.
Need to test accuracy.
https://www.splunk.com/blog/2017/06/29/tips-tricks-using-splunk-for-web-analytics-and-sessions.html
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
