Archive

How can I count only users who exceeded a specific number of visits to web pages?

New Member

I want to find users who visited more than 1,000 urls in a month and the field name is cs_uri.
I tried this:

sourcetype= my sourcetype, index=my index, user=******| table date_month date time  user category cs_uri  | where cs_uri > 1,000.

I want a list of users only when the count is GT 1,000 for my date range. I do not get any results when I use the where command but I do when I take it off.

Tags (1)
0 Karma
1 Solution

Ultra Champion

You'll first need to count the URLs visited by a user before you can filter for count greater than 1000.

For example:

index=my index, user=**
| stats count by user
| search count>1000

View solution in original post

0 Karma

Legend

If you want to get the total number or URLs visited by each user for current month and then display details only for users who exceeded 1000 visits to URLs in total you can use eventstats command. (PS: If you need unique URLs visited to be > 1000, you would need to use dc() instead of count()

<YourBaseSearch> earliest=@mon latest=now
| eventstats count(cs_uri) as TotalURLsVisited by user
| search TotalURLsVisited > 1000
| table date_month _time user category cs_uri

Following is a run anywhere example from Splunk's _internal index for sourcetype=splunkd_access

index=_internal sourcetype="splunkd_access" earliest=@mon latest=now
| eventstats count(uri) as TotalURLsVisited by user
| search TotalURLsVisited>1000
| table date_month _time user method status uri
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Ultra Champion

You'll first need to count the URLs visited by a user before you can filter for count greater than 1000.

For example:

index=my index, user=**
| stats count by user
| search count>1000

View solution in original post

0 Karma

New Member

thank you for your help, i am running this new query now, but am queued up so it is taking a bit longer than usual.

0 Karma

Legend

@rickettw, @FrankVl, use of stats will retain only two fields after second pipe i.e. count and user. Which implies final table will not display required table for other fields.

Refer to my answer below as this is a usecase for eventstats if you want to display the entire table after stats. Also either count(cs_uri) as TotalURLsVisited or dc(cs_uri) as UniqueURLsVisited should be used as per the use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

One issue I am having is my search is with an enterprise that has over 400000 users so I am only running it for Last 7 Days, to gain an idea who is spending time on the internet rather than their normal duties. The results i am getting just like the events and are not downloadable, in other words I am just getting events not statistics even with the table command. I will try the eventstats command, but am not sure where it goes: does this look correct? sourcetype="access:file", index="proxytraffic" earliest=@mon latest=now | eventstats count(uri) as TotalURLsVisited by user | search TotalURLsVisited>10000| table date_month _time user method status uri

0 Karma

Ultra Champion

Fair point, I had them the other way around originally, then thought to optimize things a bit, but clearly didn't fully think that through 🙂

Let me adjust that.

Question spoke about "a list of users" which my solution would give. If you indeed want to just filter the original data for those entries that relate to users that have over 1000 entries, then eventstats is indeed the way to go.

0 Karma

Communicator

Did you try removing the comma from 1,000?

0 Karma

New Member

thanks, i did eliminate the , and am running the report now.

0 Karma

Communicator

Try this

sourcetype= my sourcetype index=my index user=* | stats count | where cs_uri>1000 | table date_month date time user category cs_uri

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!