All Apps and Add-ons

How do I create a multi-level SanKey graph that shows each event count as the user navigates thru the application?

dbcase
Motivator

Hi,

I have the below events. This is for one clientSessionId. It begins with analyticType=SessionStart and then has several different analyticTypes and some of those analyticTypes have Properties.index values. What I would like to do is have a multi-level SanKey graph that shows each event count as the user navigates thru the application.

I can get to 2 levels but struggling with getting 3+ levels.

Thoughts?

10/17/18
12:46:29.000 PM 
{   [-] 
     Properties:    {   [-] 
         analyticsConfigs:  {   [+] 
        }   
         appVersion:     9.1.1.905  
         buildTarget:    blah   
         category:   Event  
         networkStatus: {   [+] 
        }   
         osName:     Android    
         platformData:  {   [+] 
        }   
    }   
     analyticType:   SessionStart   
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.appVersion = 9.1.1.905 Properties.buildTarget =  blah Properties.category =  Event Properties.networkStatus.NT = 6 Properties.osName =   Android Properties.platformData.BL =    2 Properties.platformData.BP =  0 Properties.platformData.FF =  1 Properties.platformData.HC =  samsung Properties.platformData.HM =    SM-G925V Properties.platformData.LL =   en Properties.platformData.LO = US Properties.platformData.OJ = 7.0 Properties.platformData.OS =    2 Properties.platformData.SA =  16471093248 Properties.platformData.ST =    25727954944 Properties.platformData.SU =    9256861696 Properties.platformData.UI = d19d426e39577858 analyticType = SessionStart buildTarget =  blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:29.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  33 
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1539798386896,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798387487} Properties.category =    Event Properties.index =    33 analyticType =   CustomAnalytic buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:30.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  33 
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1539798387990,"responseStatus":401,"responseStatusText":"Unauthorized","success":false,"responseTime":1539798388122,"data":"failed"} Properties.category = Event Properties.index =    33 analyticType =   CustomAnalytic buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  33 
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/login","params":{"expand":"sites,instances,points,functions"},"requestStartTime":1539798388695,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389134} Properties.category =  Event Properties.index =    33 analyticType =   CustomAnalytic buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
    }   
     analyticType:   User   
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 482129 Properties.category =    Event analyticType =    User buildTarget =  blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         category:   Event  
    }   
     analyticType:   _initCampaigns 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.category =   Event analyticType =    _initCampaigns buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         category:   Event  
         index:  41 
    }   
     analyticType:   Checkpoint 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.category =   Event Properties.index =    41 analyticType =   Checkpoint buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  33 
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/users/368066","params":{},"requestStartTime":1539798389218,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389392} Properties.category =  Event Properties.index =    33 analyticType =   CustomAnalytic buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  33 
    }   
     analyticType:   CustomAnalytic 
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/sites/482129/partnerNames","params":{},"requestStartTime":1539798389226,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389486} Properties.category = Event Properties.index =    33 analyticType =   CustomAnalytic buildTarget =    blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  9  
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 1 Properties.category = Event Properties.index =    9 analyticType =    Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [-] 
         args:  [   [+] 
        ]   
         category:   Event  
         index:  7  
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index =    7 analyticType =    Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [+] 
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 2 Properties.category = Event Properties.index =    6 analyticType =    Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [+] 
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index =    8 analyticType =    Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [+] 
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 1 Properties.category = Event Properties.index =    17 analyticType =   Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [+] 
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 2 Properties.category = Event Properties.index =    5 analyticType =    Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM 
{   [-] 
     Properties:    {   [+] 
    }   
     analyticType:   Counter    
     buildTarget:    blah   
     clientSessionId:    DZPNFX-ASLAEX  
     product:    blah   
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index =    18 analyticType =   Counter buildTarget =   blah clientSessionId =  DZPNFX-ASLAEX product = blah
Tags (1)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @dbcase,

Did either of the answers below solve your problem? If so, please resolve by approving one of them. If your problem is still not solved, keep us updated so that someone else can help ya. Thanks!

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

HI @dbcase

Thanks for posting on Splunk Answers.

I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.

Thanks!

0 Karma

MuS
SplunkTrust
SplunkTrust

Here is an example:

alt text

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dbcase,

That will not work, instead you will need to change the search so that for example you only get events from the receiving part and use the connecting client information from those events - if that makes sense?

Take a look at this run everywhere search to show the data flow in Splunk:

index=_internal sourcetype=splunkd group=tcpin_connections component=metrics host=*
| fields host hostname kb fwdType
| eval hostname=if(fwdType="uf", "uf", hostname), from=hostname, to=host
| stats sum(kb) AS KBs by from to

This will show a nice multilevel sankey and you can use it to understand how it can be done 😉

hope this helps ...

cheers, MuS

0 Karma

dbcase
Motivator

Hi Mus! Its been a looooong time! Tried the run everywhere search you provided and it does run but its still only a 2 level (from and to) SanKey

0 Karma

MuS
SplunkTrust
SplunkTrust

Did you look at the sankey ? I just added an image to the answer how it looks 😉

0 Karma

dbcase
Motivator

Thats very strange, your's has 3 levels and looks like what I'm looking for but I run the same query and only get 2

UF -> idx7.blah.splunkcloud.com

0 Karma

MuS
SplunkTrust
SplunkTrust

In the environment I took the screenshot is a HWF layer, therefore I got three levels. There used to be an example in the docs using weblogs showing the how people browser the web page using a multilayer sankey graph .... haven't found it yet though 😕

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma

nrduren1115
Explorer

It is not entirely clear to me based on the data what you are attempting to do, but to get a multilevel Sankey diagram, you will never get one using the same field as your from for each metric. This will create a graphic that connects that from to multiple to locations. For example, if you are trying to track a client moving through an app, you might format your table so that the first value for from is your session id and the to is your first properties.index. The next would be a from value of properties.index from the first event and the to value would be the properties.index from the second event. You might be able to accomplish this with streamstats. Otherwise all you will ever have here is the session id connected to multiple index values.

0 Karma

dbcase
Motivator

Hi Nrduren1115,

Yea thats what I'm finding out. Trying to figure out how to "trick" the sankey engine to see them differently.

0 Karma

nrduren1115
Explorer

What do you want the diagram to look like in the end? I'm still not clear. Do you want to see how many people when from a -> b -> c vs. how many went from a -> c -> d or straight from a ->c?

0 Karma

dbcase
Motivator

Hi Nrduren1115,

Looking to see

clientSessionId->analyticType+properties.index->(next) analyticType+properties.index->(next) analyticType+properties.index

Essentially tracking the user throughout the application to see where they went. This is so we can show which features are more popular

0 Karma

dbcase
Motivator

Here is the query I'm using to get to 2 levels

index=wholesale_app buildTarget=blah product=*   analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi|rename clientSessionId as from pi as to|eval api=analyticType+pi| stats count by from to|where count>50
0 Karma

nrduren1115
Explorer
index=wholesale_app buildTarget=blah product=*   analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi| streamstats window=1 current=false values(pi) as prev_pi, values(analyticType) as prev_analyticType by clientSession | eval to=pi+anaylticType, from=prev_pi+prev_anaylticType | stats count by from, to

This should get you the multilevel Sankey diagram but with all the sessions in one. If you want to see which specific clients start where, you can append a search that has the clientSession as the from and the to field being the pi+analyticType from the start_session event.

0 Karma

dbcase
Motivator

Another attempt, closer but still not what I'm looking for

index=wholesale_app buildTarget=cox product=*   analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi|eval api=analyticType+pi| stats count by clientSessionId api|where count>50
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...