- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to find unique and returning visitors afte...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find unique and returning visitors after grouping access log events into transactions?
Hello all,
I'm analyzing some access logs where I'm trying to determine unique and returning visitors. So far, I've grouped my events into transactions with the following:
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| eval user_type=case(eventcount>=1,"Entrance")
and now I'm trying to figure out how to go from there to obtain unique and returning visitors.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, starting from your search:
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| eval user_type=case(eventcount>=1,"Entrance")
I am not sure what user_type means. The eventcount is the number of events within a single transaction, not the number of times a user has appeared.
I would do this
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| stats count by clientip
| eval status=if(count==1,"New","Returning")
| stats count by status
| eval TotalUniqueUsers=New+Returning
You should end up with two columns of output - New contains the number of clientip addresses that appear only once, and Returning is the number that appear multiple times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help. I'll try this. I should have given a little more background. Example: a user entering a website(including all pages) for the first time could view multiple pages. As a result, the clientip would appear multiple times, each as an event, and thus returning the user as a returner;that's why I grouped events into transactions.... to count each transaction as an event. From there, I want to obtain the count of new users vs returning users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=access_* | transaction clientip maxpause=1h keepevicted=t mvlist=t | eval user_type=case(eventcount>=1,"Entrance") | dedup clientip ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| dedup userID
to figure out unique visitors?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
