Solved: data filtering(?) question

hylee · ‎07-02-2013

Hi,
In our website, all the visitors get SESSION_ID.

for example,
[no=1 visit_time=2013/07/02 09:30:30 session_id=aaa]
[no=2 visit_time=2013/07/02 09:35:30 session_id=aaa]
[no=3 visit_time=2013/07/02 09:40:30 session_id=bbb]
[no=4 visit_time=2013/07/02 09:50:30 session_id=ccc]

When index to SPLUNK, search result(count) is "4".

"no=1..." and "no=2..." are same people.
In this case, this people visited two times our website in 10 minutes.

Q)
If someone visit several times(ex. 3 times) in 10 minutes, is there a way to see the result(count) as "1"?

adityapavan18 · ‎07-03-2013

I guess you could use transaction command on session_id with max span and do a count like

|transaction session_id maxspan=10m | stats count

this might work!!

View solution in original post

adityapavan18 · ‎07-03-2013

I guess you could use transaction command on session_id with max span and do a count like

|transaction session_id maxspan=10m | stats count

this might work!!

hylee · ‎07-03-2013

Thank you so much!! I solved it!!

data filtering(?) question

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!