- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding overall login time for a user
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a game, my logs log two times, a login event and a logoff event. What I want to do is calculate the total online time of a player in splunk. They are two separate events, and I can find them through queries. I'm not sure how to get the total online time of a player (I don't need to break it down into daily events, just the total overall sum of the time they played)
I think a way to do this would be to sum the timestamps of all of the logon events for a player, then subtract the sum of all the logoff events for the player (My math might be wrong, but I have a feeling this would work) How would I go about doing that?
I'm very new to splunk, so please go easy on me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to look into transactions. Use your "logon" as your startswith attribute, and your "logoff" as your endswith attribute. Transactions will automatically be calculated with a duration field (I believe it's in seconds).
Once you have that you can simply do a stats sum of the durations by user. Something like this:
<your base search> | transaction <userid_field> startswith="*logon*" endswith="*logoff*" | stats sum(duration) as total_dur by <userid_field>
There are other methods to calculate duration between timstamps that you can find in splunk answers.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked like a charm, Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to look into transactions. Use your "logon" as your startswith attribute, and your "logoff" as your endswith attribute. Transactions will automatically be calculated with a duration field (I believe it's in seconds).
Once you have that you can simply do a stats sum of the durations by user. Something like this:
<your base search> | transaction <userid_field> startswith="*logon*" endswith="*logoff*" | stats sum(duration) as total_dur by <userid_field>
There are other methods to calculate duration between timstamps that you can find in splunk answers.
Hope this helps
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
