All Apps and Add-ons

Timeline Visualization to describe average user behavior, not behavior by individual

Engager

I am basically trying to create a timeline (https://splunkbase.splunk.com/app/3120/) that will show the average duration the users spend on each page at the relative time they accessed it.

Essentially it should look similar to this:alt text

Where each line is a different page(sorry to cut the page names off: confidentiality and all that jazz)


What I need help on is:
*How do I turn the time each event occurred into a relative time for each user? *
e.g. I want to take something like this:

user_A event_1 ---> page_1 timeA_1 durationA_1
event_2 ---> page_2 timeA_2 durationA_2
user_B event_1 ---> page_1 timeB_1 durationB_1
event_2 ---> page_2 timeB_2 durationB_2

And turn it into this:

page_1 avg(time_since_start_1) avg(duration_1)
page_2 avg(time_since_start_2) avg(duration_2)


Right now, I have this pretty simple search for the single user:
MAIN_SEARCH_STUFF user=USER1
| sort _time
| table _time x_page_name user duration

I've tried to expand this using transactions like this:
MAIN SEARCH STUFF user=*
| addinfo
[ transaction user
| eval earliest=info_max_time
| eval stime= round(_time-earliest,0)]
| sort stime
| table stime x_page_name user duration

But, alas, I have had no luck.

Any suggestions are appreciated. If you think of a better approach to solving this I would love to know!

thanks,
Ben

0 Karma