Hello,
We are trying to track distinct current users logged in and running transactions in a particular application but cannot seem to get the correct search. Our search right now is just index=cerner | timechart span=5m dc(UserName) by host | addtotals but one of the major flaws is that within that 5min aggregation window where splunk is tallying up the users the graph shows drastic spikes which will confuse our operations center and think that there is something wrong with the application. What would be the best modification to our search syntax to ensure an accurate count of users currently logged in. If the search has to be 5 min in the past I am fine with that.
Thanks!
Thanks for your feedback.
I made the changes and even had it offset to 5min before but it is still showing the drastic drops although the 5 min bucket window has passed. I ran the search at 8:27 an the data point at 8:20 should be accurate. Any other ideas?
Thanks
I couldn't figure out how to PM you from here. How are you accounting for number of users logged into Cerner? Are you getting the EMR logs from the backend, logging citrix application opens, full app launches from the desktop, or some other way I am not thinking of. I too am part of a Cerner shop and didn't realize someone else out there was tracking this as well.
Could be you need to play with the partial
parameter. If you run a search at say 10:06, with span=5m
your last timeslot will only have data for 1 minute (but be graphed like it had 5 minutes worth of data).
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Timechart
/k
thanks for your feedback. I just updated the original question trying the partial parameter.