To count the number of connections per user:
yoursearchere |
eval transactionEnd=0 |
eval transactionEnd=case(match(_raw,".*end connection 1.*"),1,
match(_raw,".*end connection 2.*"),1)
transaction username ip startswith="Start connection."
endswith=eval(transactionEnd==1) |
stats count as numberOfConnections by username
Although a month may be too long of a timespan for the transaction command... If so, you might consider using a summary index to collect the daily info (number of Connections and TimeOnline)
... View more