The 15th field of our Apache log is the application server session ID. We truncate the _time field to minute, and get a distinct count of sessions in each minute. The number is 14 below because the source array is zero based.<\/p>\n
\r\nhost=strlpecomweb* sourcetype=access_combined \r\n | eval temp=split(_raw,\\\"\\t\\\") \r\n | eval sess=mvindex(temp,14) \r\n | bucket span=1m _time \r\n | stats dc(sess) as sesscount by _time\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"The 15th field of our Apache log is the application server session ID. We truncate the _time field to minute, and get a distinct count of sessions in each minute. The number is 14 below because the source array is…<\/p>\n