0

Identify User Active screen Time

Hello, I found this blog to identify the Active screen time of the user.

 

Can someone please help in decoding this pivot in simple Splunk Search:

 

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
count(Session_SessionDetail_Users) as EventCount
latest(SessionConnectionState) as SessionConnectionState
latest(SessionFgAppName) as SessionFgAppName
latest(SessionUserLower) as User
splitrow
_time
period second
splitrow
SessionGUID
filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
sum(Active) as Active
sum(EventCount) as EventCount
latest(User) as User
by
SessionGUID
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'

3 comments

  • Avatar
    Martin Kretzschmar Official comment

    Hi Shivam,

    using SPL, the search could be like this. Please note, that you can still utilize pivot as a search command, even though your data model acceleration might be disabled.

    index=`uberAgent_index` sourcetype=uberAgent:Session:SessionDetail SessionID!=0
    | bin _time span=1s
    | stats
    count as EventCount
    latest(SessionConnectionState) as SessionConnectionState
    latest(SessionFgAppName) as SessionFgAppName
    latest(SessionUser) as User
    latest(host) as Host
    by _time, SessionGUID
    | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
    | stats
    sum(Active) as Active
    sum(EventCount) as EventCount
    latest(User) as User
    latest(Host) as Host
    by
    SessionGUID
    | eval "Active time (%)" = round(Active / EventCount * 100,1)
    | eval sortfield='Active time (%)'
    | sort limit=0 -sortfield 'Active time (%)'
    | table
    User
    Host
    "Active time (%)"
  • 0
    Avatar
    Anantha Lakshman Singamsetty

    How can we calculate "Active Time in Hours" instead of "Active Time in %"

  • 0
    Avatar
    Julian Krause

    Hi Anantha,

    Generally speaking, to get "Active time in hours" one would need to calculate the "session duration" x "Active time in %". The duration can be retrieved by calculating the difference between the session start and end time which are both available in uberAgent's metrics. If there is no session end time, one should work with latest(_time) as LastSeen.

    However, calculating the time difference as a duration is not that trivial, as one would need to calculate hours, minutes, and seconds separately. An example of this can be found in our Helpdesk app when looking at a session and viewing the underlying search of the panel Session connection state.

Please sign in to leave a comment.