How do you calculate the total and average duratio...

tdarrow · ‎02-26-2019

I am relatively new to Splunk so please forgive my naivety.

I have been tasked with calculating the session length of unique users for our lab computers on campus. While my search is far from efficient, I have been able to calculate the duration by session_id (with the help of other questions/answers here).

Now that I have calculated the durations, I would like to calculate the Total Session Length (simple addition of each session length) and the Average Session Length (hours or minutes).

My search string is below. Feel free to help me clean it up where necessary. I greatly appreciate any help or guidance!

index=desktop "Q218" session_id=* Account_Domain=WIN NOT host=MET_IMG NOT user=lab NOT user=PanAgent-svc EventCode=4647 OR EventCode=4624 OR EventCode=4634 | dedup _time user | stats earliest(_time) AS earliest latest(_time) AS latest BY session_id | eval duration = tostring((latest-earliest), "duration") | table user session_id earliest latest duration| where duration>"00:00:00"

tiagofbmm · ‎02-26-2019

Not sure if you'd want that per user, but here it goes:

index=desktop "Q218" session_id=* Account_Domain=WIN NOT host=MET_IMG NOT user=lab NOT user=PanAgent-svc EventCode=4647 OR EventCode=4624 OR EventCode=4634 | dedup _time user | stats earliest(_time) AS earliest latest(_time) AS latest BY session_id | eval duration = tostring((latest-earliest), "duration"), length_seconds=(latest-earliest) | table user session_id earliest latest duration | where duration>"00:00:00" | stats sum(length_seconds) as Total_Length, avg(length_seconds) as Avg_Length by user | eval Avg_Length_Minutes=Avg_Length/60

How do you calculate the total and average duration of the session length for unique users?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life