0

Identify User Active screen Time

Hello, I found this blog to identify the Active screen time of the user.

 

Can someone please help in decoding this pivot in simple Splunk Search:

 

| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
count(Session_SessionDetail_Users) as EventCount
latest(SessionConnectionState) as SessionConnectionState
latest(SessionFgAppName) as SessionFgAppName
latest(SessionUserLower) as User
splitrow
_time
period second
splitrow
SessionGUID
filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
sum(Active) as Active
sum(EventCount) as EventCount
latest(User) as User
by
SessionGUID
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'

1 comment

  • Avatar
    Martin Kretzschmar Official comment

    Hi Shivam,

    using SPL, the search could be like this. Please note, that you can still utilize pivot as a search command, even though your data model acceleration might be disabled.

    index=`uberAgent_index` sourcetype=uberAgent:Session:SessionDetail SessionID!=0
    | bin _time span=1s
    | stats
    count as EventCount
    latest(SessionConnectionState) as SessionConnectionState
    latest(SessionFgAppName) as SessionFgAppName
    latest(SessionUser) as User
    latest(host) as Host
    by _time, SessionGUID
    | eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
    | stats
    sum(Active) as Active
    sum(EventCount) as EventCount
    latest(User) as User
    latest(Host) as Host
    by
    SessionGUID
    | eval "Active time (%)" = round(Active / EventCount * 100,1)
    | eval sortfield='Active time (%)'
    | sort limit=0 -sortfield 'Active time (%)'
    | table
    User
    Host
    "Active time (%)"
Please sign in to leave a comment.