Solved: How to get statistics on user log in duration

Splunkster45 · ‎10-14-2014

I have two types of logs in my files that record when a user logs in and logs out. They are of the form:

Session <number> <user> started
Session <number> ended

I've been using the transaction command transaction number startswith "started" endswith "ended" to calculate the time that each user has been logged on. What'd I like to do is to calculate statistics on the time of the user login - avg length, min, max, stdev. I've been looking around and it appears that the transaction command gets rid of the ability to do stats. Is there a way to calculate these statistics on a user basis?

wpreston · ‎10-14-2014

You can still perform stats calcs after using transaction. In your case, it sounds like you are wanting to perform some statistics on the duration field that is created by the transaction command. So something like this should do the trick:

...<your base search>... | transaction number startswith "started" endswith "ended" | stats avg(duration) min(duration) max(duration) stdev(duration) by user

View solution in original post

wpreston · ‎10-14-2014

You can still perform stats calcs after using transaction. In your case, it sounds like you are wanting to perform some statistics on the duration field that is created by the transaction command. So something like this should do the trick:

...<your base search>... | transaction number startswith "started" endswith "ended" | stats avg(duration) min(duration) max(duration) stdev(duration) by user

How to get statistics on user log in duration

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?