How to edit my search to calculate total duration ...

aladda_splunk · ‎08-15-2016

Looking for help coming up with search to calculate the total duration there were events in a given time period - essentially a reflection (for the given use case) for how much time the user was actively doing something.

So if user A logged in at 11 am, did 5 things between 11 and 11:01, nothing between 11:01 and 11:03 and then again between 11:03 and 11:04 did 10 things, 11:04 to 11:05 did 3 things, then in total the user was active for 3 out of the 5 mins. Only care about 1 minute granularity.

I'm using transaction with maxpause of 60s to represent "inactivity" for a certain time period and then aggregate "duration" to get active_time

| transaction USER_ID maxpause=65s | stats sum(duration) as dur | eval active_time = dur/60

Looking for other ideas and techniques to approach this.

sundareshr · ‎08-16-2016

How frequently are the events logged and do is active vs inactive determined? Assuming the events logged are only when the user is active, you can try something like this

... | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")

If events are logged for active as well as inactive state, try this

... state="active" | stats earliest(_time) as start latest(_time) as end by USER_ID | eval duration=tostring(round(end-start, 0), "duration")**

How to edit my search to calculate total duration for periods with actual events (User activity time)?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability