- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding overall login time for a user
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a game, my logs log two times, a login event and a logoff event. What I want to do is calculate the total online time of a player in splunk. They are two separate events, and I can find them through queries. I'm not sure how to get the total online time of a player (I don't need to break it down into daily events, just the total overall sum of the time they played)
I think a way to do this would be to sum the timestamps of all of the logon events for a player, then subtract the sum of all the logoff events for the player (My math might be wrong, but I have a feeling this would work) How would I go about doing that?
I'm very new to splunk, so please go easy on me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to look into transactions. Use your "logon" as your startswith attribute, and your "logoff" as your endswith attribute. Transactions will automatically be calculated with a duration field (I believe it's in seconds).
Once you have that you can simply do a stats sum of the durations by user. Something like this:
<your base search> | transaction <userid_field> startswith="*logon*" endswith="*logoff*" | stats sum(duration) as total_dur by <userid_field>
There are other methods to calculate duration between timstamps that you can find in splunk answers.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked like a charm, Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to look into transactions. Use your "logon" as your startswith attribute, and your "logoff" as your endswith attribute. Transactions will automatically be calculated with a duration field (I believe it's in seconds).
Once you have that you can simply do a stats sum of the durations by user. Something like this:
<your base search> | transaction <userid_field> startswith="*logon*" endswith="*logoff*" | stats sum(duration) as total_dur by <userid_field>
There are other methods to calculate duration between timstamps that you can find in splunk answers.
Hope this helps
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
