Hello,
I ingest in Splunk enterprise the following log file about end user sessions (only one record is sent at the end of each user session with all relevant information like startime, endtime and others) :
2019-02-26 10:49:03, SessionID:242_205522 ,CLIENTID:242 Session:{startTime:2019-02-10 20:55:22, endTime:2019-02-10 22:57:9 }
I would like to generate a graph of total number of active sessions per hour. the issue is of course the sessions longer than 1 hour. I made various attempts with suggestions for previous posts but did not find any suitable solution (i can successfully use concurrency, but here i'm not trying to measure to number of concurrent sessions, but the total of sessions within an hour). The only solution as far as i understand is to create additional results for the same event using map and gentimes.
my best result so far is using :
ClientID=127 | fields ClientID StartTime EndTime SessionID | eval beginTime=strftime(strptime(StartTime,"%Y-%m-%d %H:%M:%S"), "%m/%d/%Y:%H:%M:%S") | eval endingTime=strftime(strptime(EndTime,"%Y-%m-%d %H:%M:%S"), "%m/%d/%Y:%H:%M:%S") | map maxsearches=50000 search="|gentimes start=$beginTime$ end=$endingTime$ increment=1h | eval duration=60*60 | eval ClientID=$ClientID$ | eval StartTime=$StartTime$ | eval EndTime=$EndTime$"
This request seems to do almost what i'm looking for when only a small dataset is returned by the first search (in the example i had to take only one clientID), it does not work with more results (like 20.000) returned by the first search. i understand the issue, as many search requests needs to be done.
Would anyone could suggest another approach ? i could change the logs we capture to add intermediate events, but i would like to avoid that if possible.
Many thanks for your help.
