Hello,
We are trying to track distinct current users logged in and running transactions in a particular application but cannot seem to get the correct search. Our search right now is just index=cerner | timechart span=5m dc(UserName) by host | addtotals but one of the major flaws is that within that 5min aggregation window where splunk is tallying up the users the graph shows drastic spikes which will confuse our operations center and think that there is something wrong with the application. What would be the best modification to our search syntax to ensure an accurate count of users currently logged in. If the search has to be 5 min in the past I am fine with that.
Thanks!
Thanks for your feedback.
I made the changes and even had it offset to 5min before but it is still showing the drastic drops although the 5 min bucket window has passed. I ran the search at 8:27 an the data point at 8:20 should be accurate. Any other ideas?
Thanks