Splunk Search

Consequent days measurement?

Yarsa
Path Finder

Hi, Let's say "user X" visited my site on these dates:
2/3/2012
2/4/2012
2/5/2012
10/5/2012
11/5/2012

How can I count the number of consequent days "user X" visited?
I would like for the output to be

User X - 3 (consequent days)
User X - 2 (consequent days)

I'll appreciate any ideas:)

Tags (1)
1 Solution

lguinn2
Legend

Try this

yoursearchhere | 
bucket _time span=1d | 
dedup user _time | 
transaction user maxpause=1d |
table user eventcount | sort user

After you have done your search, whatever it is, the commands that follow

  • group the time by day - ignoring hours, minutes, etc.
  • eliminate multiple events from the same user on the same day, leaving a max of 1 event per user per day
  • group the events into transactions based on the user name, with the provision that there cannot be a gap of greater that a day between events in the transaction
  • for each user, list the number of events

View solution in original post

lguinn2
Legend

Try this

yoursearchhere | 
bucket _time span=1d | 
dedup user _time | 
transaction user maxpause=1d |
table user eventcount | sort user

After you have done your search, whatever it is, the commands that follow

  • group the time by day - ignoring hours, minutes, etc.
  • eliminate multiple events from the same user on the same day, leaving a max of 1 event per user per day
  • group the events into transactions based on the user name, with the provision that there cannot be a gap of greater that a day between events in the transaction
  • for each user, list the number of events

Yarsa
Path Finder

Ok thanks very much:)

0 Karma

lguinn2
Legend

I couldn't figure out how to do that, but this version will list the date/times for each user along with the count:

yoursearchhere |

fields user | eval datetime=strftime(_time,"%x %X") |

bucket _time span=1d |

dedup user _time |

transaction user maxpause=1d mvlist=datetime|

sort user _time |

table user eventcount datetime

0 Karma

Yarsa
Path Finder

Thanks:) it works very good.
I was also wondering if there is a way to define a condition to limit events with 8 hour difference between them when they occur on two consecutive days.

For example when the user visited on
2/3/2012 23:50
2/4/2012 00:15

I don't want to count this case as two consecutive days.

Is it possible or I'm asking too much?
thanks

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...