User session duration calculation

ramous-tun · December 5, 2021, 8:57pm

Hi,
I'm trying to get user session duration by day for the last 30 days from windows logs, so I used Transform but something wrong in my script, I always get duration for all period recorded: from the first login to the last logout.
I saw all similar subjet, but I didn't find somthing working for me.

PUT _transform/windows-login-durations
{
  "source": {
    "index": [
      "windows-security-logs-*"
    ],
    "query": {
      "bool": {
        "should": [
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "EventID": "4634"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          },
          {
            "bool": {
              "should": [
                {
                  "match": {
                    "EventID": "4624"
                  }
                }
              ],
              "minimum_should_match": 1
            }
          }
        ],
        "minimum_should_match": 1
      }
   }
  },
  "pivot": {
"group_by": {
    "TargetLogonId": {
      "terms": {
        "field": "TargetLogonId"
      }
    },
    "TargetUserName.keyword": {
      "terms": {
        "field": "TargetUserName.keyword"
      }
    },
    "Hostname.keyword": {
      "terms": {
        "field": "Hostname.keyword"
      }
    },
    "timestamp": {
      "terms": {
        "field": "@timestamp"
      }
    }
  },
  "aggregations": {
    "time_frame.lte": {
      "max": {
        "field": "@timestamp"
      }
    },
    "time_frame.gte": {
      "min": {
        "field": "@timestamp"
      }
    },
    "duration": {
      "bucket_script": {
        "buckets_path": {
            "min": "time_frame.gte.value",
            "max": "time_frame.lte.value"
        },
          "script": "(params.max - params.min)/1000"
      }
    }
  }
  },
  "frequency": "1m",
  "dest": {
    "index": "windows-login-durations"
  }
}

przemekwitek · December 7, 2021, 9:19am

Hi,
Could you please try changing terms to date_histogram in the pivot.group_by section?
It does not seem right to me to use terms together with timestamp if you need to group "by day".
I think it should look similar to:

    "timestamp": {
      "date_histogram": {
        "field": "@timestamp",
        "calendar_interval": "1d"
      }
    }

ramous-tun · December 8, 2021, 10:20am

Thanks @przemekwitek, that's worked for me.

system · January 5, 2022, 10:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Calculating Windows User Session Duration Kibana	1	163	February 15, 2024
How to calculate the total time a user was logged in/out per day? Elasticsearch	1	357	July 5, 2018
Trying to run the 'Get duration by using bucket script' but not working Elasticsearch painless , transforms	6	682	May 14, 2021
How to calc login,logout duration inside special time span Elasticsearch	4	109	July 2, 2024
Calculated fields Kibana	3	296	June 5, 2020

User session duration calculation

Related topics