Hi,
I have the below events. This is for one clientSessionId. It begins with analyticType=SessionStart
and then has several different analyticTypes and some of those analyticTypes have Properties.index values. What I would like to do is have a multi-level SanKey graph that shows each event count as the user navigates thru the application.
I can get to 2 levels but struggling with getting 3+ levels.
Thoughts?
10/17/18
12:46:29.000 PM
{ [-]
Properties: { [-]
analyticsConfigs: { [+]
}
appVersion: 9.1.1.905
buildTarget: blah
category: Event
networkStatus: { [+]
}
osName: Android
platformData: { [+]
}
}
analyticType: SessionStart
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.appVersion = 9.1.1.905 Properties.buildTarget = blah Properties.category = Event Properties.networkStatus.NT = 6 Properties.osName = Android Properties.platformData.BL = 2 Properties.platformData.BP = 0 Properties.platformData.FF = 1 Properties.platformData.HC = samsung Properties.platformData.HM = SM-G925V Properties.platformData.LL = en Properties.platformData.LO = US Properties.platformData.OJ = 7.0 Properties.platformData.OS = 2 Properties.platformData.SA = 16471093248 Properties.platformData.ST = 25727954944 Properties.platformData.SU = 9256861696 Properties.platformData.UI = d19d426e39577858 analyticType = SessionStart buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:29.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 33
}
analyticType: CustomAnalytic
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1539798386896,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798387487} Properties.category = Event Properties.index = 33 analyticType = CustomAnalytic buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:30.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 33
}
analyticType: CustomAnalytic
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1539798387990,"responseStatus":401,"responseStatusText":"Unauthorized","success":false,"responseTime":1539798388122,"data":"failed"} Properties.category = Event Properties.index = 33 analyticType = CustomAnalytic buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 33
}
analyticType: CustomAnalytic
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/login","params":{"expand":"sites,instances,points,functions"},"requestStartTime":1539798388695,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389134} Properties.category = Event Properties.index = 33 analyticType = CustomAnalytic buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
}
analyticType: User
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 482129 Properties.category = Event analyticType = User buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
category: Event
}
analyticType: _initCampaigns
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.category = Event analyticType = _initCampaigns buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
category: Event
index: 41
}
analyticType: Checkpoint
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.category = Event Properties.index = 41 analyticType = Checkpoint buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 33
}
analyticType: CustomAnalytic
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/users/368066","params":{},"requestStartTime":1539798389218,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389392} Properties.category = Event Properties.index = 33 analyticType = CustomAnalytic buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 33
}
analyticType: CustomAnalytic
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = {"method":"GET","url":"/rest/icontrol/sites/482129/partnerNames","params":{},"requestStartTime":1539798389226,"responseStatus":200,"responseStatusText":"OK","success":true,"responseTime":1539798389486} Properties.category = Event Properties.index = 33 analyticType = CustomAnalytic buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 9
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 1 Properties.category = Event Properties.index = 9 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [-]
args: [ [+]
]
category: Event
index: 7
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index = 7 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [+]
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 2 Properties.category = Event Properties.index = 6 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [+]
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index = 8 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [+]
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 1 Properties.category = Event Properties.index = 17 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [+]
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 2 Properties.category = Event Properties.index = 5 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
10/17/18
12:46:31.000 PM
{ [-]
Properties: { [+]
}
analyticType: Counter
buildTarget: blah
clientSessionId: DZPNFX-ASLAEX
product: blah
}
Show as raw text
Properties.args{} = 0 Properties.category = Event Properties.index = 18 analyticType = Counter buildTarget = blah clientSessionId = DZPNFX-ASLAEX product = blah
hi @dbcase,
Did either of the answers below solve your problem? If so, please resolve by approving one of them. If your problem is still not solved, keep us updated so that someone else can help ya. Thanks!
HI @dbcase
Thanks for posting on Splunk Answers.
I'm glad to see that you are using the Karma bounty feature! However, it won't work if you don't engage with the user trying to answer your question. Please approve the question below so the user can receive their Karma points. Or, if the solution didn't help you, please explain why so that they — or someone else — can.
Thanks!
Hi dbcase,
That will not work, instead you will need to change the search so that for example you only get events from the receiving part and use the connecting client information from those events - if that makes sense?
Take a look at this run everywhere search to show the data flow in Splunk:
index=_internal sourcetype=splunkd group=tcpin_connections component=metrics host=*
| fields host hostname kb fwdType
| eval hostname=if(fwdType="uf", "uf", hostname), from=hostname, to=host
| stats sum(kb) AS KBs by from to
This will show a nice multilevel sankey and you can use it to understand how it can be done 😉
hope this helps ...
cheers, MuS
Hi Mus! Its been a looooong time! Tried the run everywhere search you provided and it does run but its still only a 2 level (from and to) SanKey
Did you look at the sankey ? I just added an image to the answer how it looks 😉
Thats very strange, your's has 3 levels and looks like what I'm looking for but I run the same query and only get 2
UF -> idx7.blah.splunkcloud.com
In the environment I took the screenshot is a HWF layer, therefore I got three levels. There used to be an example in the docs using weblogs showing the how people browser the web page using a multilayer sankey graph .... haven't found it yet though 😕
cheers, MuS
It is not entirely clear to me based on the data what you are attempting to do, but to get a multilevel Sankey diagram, you will never get one using the same field as your from for each metric. This will create a graphic that connects that from to multiple to locations. For example, if you are trying to track a client moving through an app, you might format your table so that the first value for from is your session id and the to is your first properties.index. The next would be a from value of properties.index from the first event and the to value would be the properties.index from the second event. You might be able to accomplish this with streamstats. Otherwise all you will ever have here is the session id connected to multiple index values.
Hi Nrduren1115,
Yea thats what I'm finding out. Trying to figure out how to "trick" the sankey engine to see them differently.
What do you want the diagram to look like in the end? I'm still not clear. Do you want to see how many people when from a -> b -> c vs. how many went from a -> c -> d or straight from a ->c?
Hi Nrduren1115,
Looking to see
clientSessionId->analyticType+properties.index->(next) analyticType+properties.index->(next) analyticType+properties.index
Essentially tracking the user throughout the application to see where they went. This is so we can show which features are more popular
Here is the query I'm using to get to 2 levels
index=wholesale_app buildTarget=blah product=* analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi|rename clientSessionId as from pi as to|eval api=analyticType+pi| stats count by from to|where count>50
index=wholesale_app buildTarget=blah product=* analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi| streamstats window=1 current=false values(pi) as prev_pi, values(analyticType) as prev_analyticType by clientSession | eval to=pi+anaylticType, from=prev_pi+prev_anaylticType | stats count by from, to
This should get you the multilevel Sankey diagram but with all the sessions in one. If you want to see which specific clients start where, you can append a search that has the clientSession as the from and the to field being the pi+analyticType from the start_session event.
Another attempt, closer but still not what I'm looking for
index=wholesale_app buildTarget=cox product=* analyticType!="Counter" AND (analyticType!="CustomAnalytic" AND Properties.index!=33)|rename Properties.index as pi|eval api=analyticType+pi| stats count by clientSessionId api|where count>50