topic Re: Count number of user access the site in Splunk Search

Count number of user access the site

ndkhoiits — Mon, 10 Feb 2014 14:28:26 GMT

I have 5 sites S1, S2, S3, S4, S5, I used splunk to monitor all requests to these sites. Now I want to statistic number of user who access site S1, S2, S3, S4, S5 per day. For example my data is

u1 accessed site s1

u1 accessed site s2

u1 accessed site s3

u2 accessed site s1

u1 accessed site s2

u2 accessed site s4

u3 accessed site s2

u1 accessed site s1

u1 accessed site s2

u3 accessed site s2

u4 accessed site s1

My expected report is:

S1	S2	S3	S4	S5
3	3	1	1	0

Even s1 was accessed 4 times, but number of user is 3. Same as other sites

How can I have this statistic with splunk 6.

Thank for any suggestion.

Re: Count number of user access the site

gfuente — Mon, 10 Feb 2014 14:35:54 GMT

Hello

You would need an authenticated username, or at least the clientip, on each of the logs. Then you just can use:

sourcetype=access_combined | stats dc(clientip) by source

Just as an example, change the values as necessary

regards

Re: Count number of user access the site

alacercogitatus — Mon, 10 Feb 2014 15:03:18 GMT

Based on your events above:

your_search_for_events | rex field=_raw "(?<user>\w+)\saccessed\ssite\s(?<site>\w+)" | stats dc(user) by site

You may need to change the regex depending if things have special characters or not.

It would be even easier if you used a props/transform extraction to auto pull <user> and <site>.

Re: Count number of user access the site

somesoni2 — Mon, 10 Feb 2014 18:10:54 GMT

Assuming your data have fields user and site already extracted, you can use following to get list of unique users access these site per day.

your base search giving _time, user, site | timechart span=1d dc(user) by site