- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- resetting a counter for each day
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
resetting a counter for each day
I try to count the maximum of concurrent sessions on a system where the data I have are login and logout events. I'm using eval() - something I found in another post here, incrementing a counter when someone logs in, and decrementing on a logout. Looks like this:
eval count=if
(id="login",1,-1) | sort + _time | accum count as activeusers | timechart span=1d max(activeusers)
This seems to work in general, but obviously the data is slightly inconsistent - I don't have 0 users at the end of the day. The errors add up over time so that the end result is rather useless.
I know that having consistent data would be more useful, but I can't correct that at this time. So I'm looking for a way to have my counter start at zero on each day. Any idea how to do that (or solve the problem somehow completely different in a better way)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this will do it:
eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers
That will show you the chart day-by-day but if you just need the max out of all days, do this:
eval count=if(id="login",1,-1) | timechart span=1d sum(count) AS activeusers | stats max(activeusers)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For now I just need the maximum of concurrent sessions for each day (which is a metric for the licensing on the system - so I'd like to get a view on how that develops over time, and get an early warning when I might need additional licenses).
I thought that's what I would get by charting max(activeusers) in this case. A more fine resolution would be nice, but is not required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your goal to verify that you have 0 users over the day, or are you actually looking to see when you have the most concurrent sessions? I imagine that at the end of the day all users will have logged out, so doing a timechart with a span of 1 day will just get you 0 users (if things worked correctly) or a non-zero value (if things didn't work correctly). Don't you want a timechart with a shorter span so you can see the peak over the course of one day?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
