Hello, I found this blog to identify the Active screen time of the user.
Can someone please help in decoding this pivot in simple Splunk Search:
| pivot `uA_DM_Session_SessionDetail_Users` Session_SessionDetail_Users
count(Session_SessionDetail_Users) as EventCount
latest(SessionConnectionState) as SessionConnectionState
latest(SessionFgAppName) as SessionFgAppName
latest(SessionUserLower) as User
splitrow
_time
period second
splitrow
SessionGUID
filter host in (*)
| eval Active = case(SessionConnectionState != "active",0, (SessionConnectionState = "active" and SessionFgAppName = "Lock App"),0,(SessionConnectionState = "active" and isnull(SessionFgAppName)),0,1=1,1)
| stats
sum(Active) as Active
sum(EventCount) as EventCount
latest(User) as User
by
SessionGUID
| eval "Active time (%)" = round(Active / EventCount * 100,1)
| eval sortfield='Active time (%)'
| sort limit=0 -sortfield 'Active time (%)'