Chart count by Duration and User name

strueblood · ‎10-04-2010

I have pulled VPN logs and I'd like to report on the duration that a user has used the VPN tunnel.

I have found the event that shows a disconnected VPN session.

It has the duration information and the user name. I don't know how to create a chart that will include the user name and the duration to next to it.

I have Chart by count Duration (Duration is a field I created)

But I can't seem to put in a search string to show Username and duration next to it.

strueblood · ‎10-04-2010

That is a very good answer, that answers half my question.

I'm now getting data showing, but I want the duration next to the user name, I'm getting the duration over the top and the count next to the user name.

What would I put instead of count?

ftk · ‎10-04-2010

I edited my answer. Have a look.

ftk · ‎10-04-2010

You could try doing something like:

your search | chart count Username by Duration

strueblood · ‎10-04-2010

That didn't error out but comes up with zero data. Yes, I to show a bar graph that shows user name and the duration graph next to it.

ftk · ‎10-04-2010

Hmm, here is another edit. Lemme see if I get this right -- You want a chart (column chart?) that will show a Username and its associated duration? Or do you mean a table?

strueblood · ‎10-04-2010

Sorry, I get this error message.

Error in 'chart' command: The specifier 'Duration' is invalid. It must be in form (). For example: max(size).

I get where you are going and I hope it can be that simple, other ideas?

Chart count by Duration and User name

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!