- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Consequent days measurement?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Let's say "user X" visited my site on these dates:
2/3/2012
2/4/2012
2/5/2012
10/5/2012
11/5/2012
How can I count the number of consequent days "user X" visited?
I would like for the output to be
User X - 3 (consequent days)
User X - 2 (consequent days)
I'll appreciate any ideas:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yoursearchhere |
bucket _time span=1d |
dedup user _time |
transaction user maxpause=1d |
table user eventcount | sort user
After you have done your search, whatever it is, the commands that follow
- group the time by day - ignoring hours, minutes, etc.
- eliminate multiple events from the same user on the same day, leaving a max of 1 event per user per day
- group the events into transactions based on the user name, with the provision that there cannot be a gap of greater that a day between events in the transaction
- for each user, list the number of events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yoursearchhere |
bucket _time span=1d |
dedup user _time |
transaction user maxpause=1d |
table user eventcount | sort user
After you have done your search, whatever it is, the commands that follow
- group the time by day - ignoring hours, minutes, etc.
- eliminate multiple events from the same user on the same day, leaving a max of 1 event per user per day
- group the events into transactions based on the user name, with the provision that there cannot be a gap of greater that a day between events in the transaction
- for each user, list the number of events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks very much:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I couldn't figure out how to do that, but this version will list the date/times for each user along with the count:
yoursearchhere |
fields user | eval datetime=strftime(_time,"%x %X") |
bucket _time span=1d |
dedup user _time |
transaction user maxpause=1d mvlist=datetime|
sort user _time |
table user eventcount datetime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks:) it works very good.
I was also wondering if there is a way to define a condition to limit events with 8 hour difference between them when they occur on two consecutive days.
For example when the user visited on
2/3/2012 23:50
2/4/2012 00:15
I don't want to count this case as two consecutive days.
Is it possible or I'm asking too much?
thanks
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
