Splunk Search

Help with stats count between two urls

stephenreece
New Member

Hi all, hope there is a way to do the following.

I am trying to find out how many events it takes for a user to go from "start" URL to "end" URL.

This is important as the start and end URLs are not the session start and end points but I need to ONLY count the events inside the start and end URLs.

Start URL is "start"
Finish URL is "end"

Journeys events look like:

enter site
info pages
login
auths
*
START URL*
....lots and lots of events in and outside of source & types so the main search can't search by source/type as it would exclude important counts.
END URL*
continue
detail
exit*

Urls are held in the same data field (lets say "url"), however, a user journey can go through multiple sources, multiple types, multiple different auth journeys (all keep the same sessionID) but we could be looking at 400+ events per journey and the ONLY CONTINUOUS data field is sessionID.

Any ideas are greatly appreciated.

0 Karma

woodcock
Esteemed Legend

Like this (assuming that you already have a JSESSIONID field or something like user that you can use for that):

| makeresults
| addinfo
| foreach info_*_time [ eval <<FIELD>> = strftime(<<FIELD>>, "%m/%d/%Y:%H:%M:%S") ]
| map search="|gentimes increment=1m start=$info_min_time$ end=$info_max_time$"
| streamstats count AS _serial
| eval JESSIONID=if(_serial<=30, "1", "2")
| streamstats count AS _serial BY JESSIONID
| eval URL=case(_serial<5 OR _serial>25, "ignore" . _serial, _serial=="5", "start", _serial=="25", "end", true(), "include" . _serial)
| rename starttime AS _time
| table _time JESSIONID URL
| sort 0 -_time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(eval(match(URL, "end"))) AS endID BY JESSIONID
| reverse
| streamstats count(eval(match(URL, "start"))) AS startID BY JESSIONID
| where endID==startID
| stats dc(URL) count(URL) BY JESSIONID
0 Karma

to4kawa
Ultra Champion
index=your_index sourcetype=your_sourcetype "START URL" OR "END URL"
|reverse
|streamstats count(eval("START URL")) as session by user
|stats values(_raw)  by session user

there are not sample logs.
I can only make this much

0 Karma

adonio
Ultra Champion
0 Karma

stephenreece
New Member

thanks adonio,

eventstats looks promising as i think i will need eventstats start from and end with parameters (i can't filter the search by the main search parameters as the journeys going into 20+ multiple audittypes/sources so i would have to be very specific from start and end url.

0 Karma

BainM
Communicator

Hi stephenreece-

I have a dumb question: Did you try and use the SessionID as the pivot point variable for an entire user process?
If you haven't, you might want to try a transaction command.

stephenreece
New Member

thanks for the suggestion.. i am trying the transaction start and end (i've used it before but where the source/type changes to an absolute value i.e. starts=requestreceived ends=outboundcall.. but am struggling to use it with a wildcard url field... it would be starts=tags.url=start end=tags.url=end.

I dont think transaction is handling wildcards and field references very well.

0 Karma

stoutrw
Path Finder

Upvote BainM's answer on the transaction command. It is super helpful if you have a common identifier across events that you want to group together. You can get delta information about the time between the different events in the same transaction along with the event count which is what I think you're looking for.

0 Karma

stephenreece
New Member

i think thats the part i am struggling with.... i transaction a lot which is really useful but it groups together so i lose the raw event count (i.e. 500 events rolled into 3 transactioned counts).

so i need to be able to count the 500 total events between the 2 urls (i don't care about the transactioned 3 events as the transaction is just a way to isolate the journey part i want to measure.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...