![]() Nof VMs logged in for 1h-2h, 2hrs to 3hrs etc.Įval session_duration=strptime(session_duration, "%H:%M:%S")| bucket session_duration $span_tok$ | fieldformat session_duration=strftime(session_duration, "%H:%M:%S")| chart count(vm_name) over session_durationĪlso, when you click on the chart, froom the above query, it leads to the search command appended with with "search session_duration="00:02:40"" and the results yield no data although we have results shown with that duration as 00:02:40 when run without the condition " search session_duration="00:02:40""Įrror in 'transaction' command: This search requires events to be in descending time order, but the preceding search does not guarantee time-ordered events. So the chart will show 100 vms were logged and had session_duration between 1min and 5 minsĢ00 machines were logged in and had session_duration between 5 to10 mins, 15 to 20 mins etc. No of VM logged in for 1-5min intervals when span = 5mins. So, can you suggest a best way to show the graph with buckets I am trying to group the results based on span. which does not give us the accurate chart atleast in my case. So the bucket command puts all the results in groups of span value. You should notice "reverse + startswith/endswith" (in comments) pair which should set by the order of event in your search. | table user_name machine_name event_name logon_time logout_time session_duration | eval session_duration = tostring (duration, "duration") ```| transaction startswith=(event_name=logon) endswith=(event_name=logoff) user_name machine_name``` | transaction endswith=(event_name=logon) startswith=(event_name=logoff) user_name machine_name | eval login_time = if (event_name = "logon", logon_time, null()), logout_time = if (event_name = "logoff", logon_time, null()) | eval _raw = "user_name machine_name event_name logon_time | table user_type, user_name, site_id, machine_name, event_name, logon_time, logout_time, session_duration | eval session_duration=tostring(session_duration, "duration") | eval session_duration=(released_at-assigned_at) | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(logout_time) as released_at | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(logon_time) as assigned_at | eval type=typeof(logout_time) |eval logon_time=event_time | where event_name="LOGON" and logout_time!="" | table, machine_name, user_name, event_name, event_time, logout_time | streamstats current=f last(event_time) as logout_time by machine_name | dedup event_time | table machine_name, user_name, event_name, event_time However, I am trying to retireve the session duration for each login that happened anytime.Ĭould someone pls help me correct my query to get the each session by logon and logout events. I have the query which renders the aggregate of the session for machine and user. From the above Data, I am trying to retrieve the individual session duration for each user and machine and put it in a chart.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |