So I have a bespoke Java app running in tomcat logging out different events which correlate to different sections on the app. Each different page is logged into a different log file so I have multiple sources all under one sourcetype.
There is a key value pair field called 'user' on every line which represents the logged in users email address.
I'm able to isolate an event in each source which shows the user has visited that page in the app.
I want to be able to create a report and/or visualisation that can show the order in which the users moved around the app at a high level as a Proof of Concept. I need to be able to visualize multiple users and variations in the journey as its non-linear.
| table _time,user,page
| chart count(user) over _time by page
| chart count(userjounrney) over _time by page
Any ideas on how we could visualize this in a way it shows the progression of the pages that a specific user hit at what time?
I've tried adding this to the end of the search and it visualizes the pages BUT not showing the order or time at which users visited them
| eval Page = if(page="acs","ACS",if(page="home","Home",if(page="my-bills","My-Bills",if(page="ebill","eBill",if(page="direct-debit","Direct-Debit",if(page="my-apps","My-Apps",if(page="my-profile","My-Profile",if(page="createprofile","Create-Profile",if(page="my-offers","My-Offers",if(page="faults","Service-Status",if(page="trackorder","Track Order",0))))))))))) | chart count over Page by user usenull=f useother=f
I have a couple of suggestions. First, I would create a lookup table that maps the name of the source to a page name. I think that this will ultimately be more flexible. The CSV for the lookup table might look like this:
Neither of these is a chart or graph - I don't know of a good way to map a path using the Splunk commands. If you want to use another program (maybe in Java 🙂 ?) to do the visualization, you could do the following search, which compiles the data into a table and exports it as a CSV file:
index=prod user=* NOT message="cache"
| lookup page_map source
| sort user _time
| table _time user title source
| outputcsv useractions