Getting Data In

Can you help me build a query that shows time stamp for each user > session?

bluemarvel
Path Finder

This query gives me the time stamp once for each user, but not each time the user gets a session.

index="*" sourcetype=* 
|search "field:" 
|rex field=_raw "User:  (?<user>\S+)\)" 
|rex field=_raw "Session: (?<session>.*?)\."
|bin _time span=10m 
|dedup user session ID 
|stats values(ID) count by _time user session 
| where count >= 50
Tags (2)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Your dedup is part of the problem, but I suspect there is another.

If you are trying to detect the number of simultaneous sessions, then try something like this...

 index="*" sourcetype=* 
 |search "field:" 
 |rex field=_raw "User:  (?<user>\S+)\)" 
 |rex field=_raw "Session: (?<session>.*?)\."
 |bin _time as Time span=10m 
 |stats values(ID) dc(session) as dcSession values(session_) as valSession list(session) as listSession list(_time) as listTime by Time user
 | where dcSessions >= 50

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Your dedup is part of the problem, but I suspect there is another.

If you are trying to detect the number of simultaneous sessions, then try something like this...

 index="*" sourcetype=* 
 |search "field:" 
 |rex field=_raw "User:  (?<user>\S+)\)" 
 |rex field=_raw "Session: (?<session>.*?)\."
 |bin _time as Time span=10m 
 |stats values(ID) dc(session) as dcSession values(session_) as valSession list(session) as listSession list(_time) as listTime by Time user
 | where dcSessions >= 50

rbreton
Path Finder

Could you paste a couple sample log entries?

0 Karma

adonio
Ultra Champion

your dedup removes all values with user and sessionID but 1

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...