Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determining how many visits before an action is taken

brettcave
Builder
‎09-20-2012 02:50 AM

I am trying to determine the number of visits a user makes before a certain action takes place in a report. I have a visitorId, a sessionId and classification of event types, but I am not sure how to determine this.

VisitorId="x" SessionId="a" uri="/"
VisitorId="x" SessionId="b" uri="/login"
VisitorId="x" SessionId="c" uri="/login"
VisitorId="x" SessionId="c" action="updateProfile" <-- logged via a different mechanism
VisitorId="x" SessionId="d" uri="/about"

In the example, a visitor has had 4 sessions. They updated their profile during their 3rd session.

I was thinking of using a transaction by VisitorID, with an endswith being eventtype=UpdateProfile (the event type being defined as having an action of updateProfile), but cannot do a distinct mvcount on SessionId. How could I go about determining the number of distinct sessionIds by visitorId before a certain event takes place?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cphair
Builder
‎09-20-2012 08:11 AM

If SessionIds are unique per host, something like this might work. This assumes action is an explicit field, but if it isn't, you might search on _raw instead. Also it only identifies the first updateProfile occurrence; if you want to find them all I can try tweaking this.



... transaction VisitorId,SessionId | eval keyevent=if(isnotnull(mvfind(action,"updateProfile")),SessionId,null) | stats earliest(keyevent) as earliest, values(SessionId) as sessions by VisitorId | eval num=mvfind(sessions,earliest) | eval num=if(isnotnull(num), num+1,null) | table host, earliest, sessions, num

View solution in original post

Reply
Solved! Jump to solution
Solution

cphair
Builder
‎09-20-2012 08:11 AM

If SessionIds are unique per host, something like this might work. This assumes action is an explicit field, but if it isn't, you might search on _raw instead. Also it only identifies the first updateProfile occurrence; if you want to find them all I can try tweaking this.



... transaction VisitorId,SessionId | eval keyevent=if(isnotnull(mvfind(action,"updateProfile")),SessionId,null) | stats earliest(keyevent) as earliest, values(SessionId) as sessions by VisitorId | eval num=mvfind(sessions,earliest) | eval num=if(isnotnull(num), num+1,null) | table host, earliest, sessions, num

Reply
Solved! Jump to solution

brettcave
Builder
‎01-23-2013 04:39 AM

thanks. using stats with the "values" function is the key to getting the correct data.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...