Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Calculating page read time
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bulluk
Path Finder
12-23-2011
12:49 AM
I have a requirement from the business to register the time a user stayed on a news story, the idea being that this will be a more accurate measure of a story's interest that page views. I've been trying to work out how to accomplish this and have come up with the following:
- group events by the users' login
- break events into pairs, ie if the user visits 3 links that would be 2 pairs - 1and2, 2and3
- calculate the time between each event pair
- discard events less than 2 minutes (the user didn't read the story) and greater than 30 minutes (the user read the story and then left the window open while they do other stuff) - call this time duration
- calculate the average duration for the first page of each pair
I'm struggling with the grouping of events. The closest I've come is to use the transaction command but I end up throwing loads of events away so I'm seeking some guidance or someone to tell me that I'd doing this in a stupidly complicated way and I should do it like this..... 🙂
Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eelisio2
Path Finder
12-23-2011
12:03 PM
This should get you part of the way there. Not sure if it is more efficient than what you are currently doing.
sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration
Note that the transaction command automatically creates the duration and eventcount fields for an entire transaction. Sort on -steptime is so that the results of the delta command end up with the appropriate page/event.
This does not account for the third page in your posted question. The last page in any set would have a StepDuration of zero.
If you want to eliminate certain StepDurations from the results you can add a search command.
sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | search StepDuration > 120 AND StepDuration < 1800 | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eelisio2
Path Finder
12-23-2011
12:03 PM
This should get you part of the way there. Not sure if it is more efficient than what you are currently doing.
sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration
Note that the transaction command automatically creates the duration and eventcount fields for an entire transaction. Sort on -steptime is so that the results of the delta command end up with the appropriate page/event.
This does not account for the third page in your posted question. The last page in any set would have a StepDuration of zero.
If you want to eliminate certain StepDurations from the results you can add a search command.
sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | search StepDuration > 120 AND StepDuration < 1800 | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration
Get Updates on the Splunk Community!
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
