Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count events that occurred 60 minutes apart...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srive326
Explorer
04-29-2020
02:06 PM
Hello everyone,
I need help with a search.
I have a table with the following fields:
VISITDATE USERNUMBER WEBSITE
4/19/2020 7:15:11 001 www.google.com
4/26/2020 10:24:03 001 www.google.com
4/26/2020 10:33:03 001 www.google.com
4/26/2020 11:15:12 001 www.google.com
4/26/2020 11:30:12 001 www.google.com
4/28/2020 14:30:12 001 www.google.com
I want to count the number of visits (by usernumber and website) that occurred 60 minutes apart, and return the earliest
time in that 60-minute bucket.
VISITDATE USERNUMBER WEBSITE COUNT
4/19/2020 7:15:11 001 www.google.com 1
4/26/2020 10:24:03 001 www.google.com 3
4/26/2020 11:30:12 001 www.google.com 1
4/28/2020 14:30:12 001 www.google.com 1
For example, using bins or buckets with a 60-min/1-hour time span that snap to the hour 10:00 -11:00 is one hour and that would give me this result, which I don't want:
VISITDATE USERNUMBER WEBSITE COUNT
4/19/2020 7:15:11 001 www.google.com 1
4/26/2020 10:24:03 001 www.google.com 2
4/26/2020 11:15:12 001 www.google.com 2
4/28/2020 14:30:12 001 www.google.com 1
Thank you in advance for your help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-29-2020
03:49 PM
| makeresults
| eval _raw="VISITDATE,USERNUMBER,WEBSITE
4/19/2020 7:15:11,001,www.google.com
4/26/2020 10:24:03,001,www.google.com
4/26/2020 10:33:03,001,www.google.com
4/26/2020 11:15:12,001,www.google.com
4/26/2020 11:30:12,001,www.google.com
4/28/2020 14:30:12,001,www.google.com"
| multikv forceheader=1
| eval _time=strptime(VISITDATE,"%m/%d/%Y %T")
| autoregress _time as prev_time
| streamstats count(eval(_time - prev_time > 3600)) as session1
| streamstats min(_time) as session_min by session1
| eval session2=if(_time - session_min <= 3600, "T","N")
| eval tmp=session1.session2
| streamstats dc(tmp) as session3
| stats count as COUNT min(_time) as _time by USERNUMBER WEBSITE session3
| eval VISITDATE=strftime(_time,"%m/%d/%Y %T")
| table VISITDATE,USERNUMBER,WEBSITE,COUNT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-29-2020
03:49 PM
| makeresults
| eval _raw="VISITDATE,USERNUMBER,WEBSITE
4/19/2020 7:15:11,001,www.google.com
4/26/2020 10:24:03,001,www.google.com
4/26/2020 10:33:03,001,www.google.com
4/26/2020 11:15:12,001,www.google.com
4/26/2020 11:30:12,001,www.google.com
4/28/2020 14:30:12,001,www.google.com"
| multikv forceheader=1
| eval _time=strptime(VISITDATE,"%m/%d/%Y %T")
| autoregress _time as prev_time
| streamstats count(eval(_time - prev_time > 3600)) as session1
| streamstats min(_time) as session_min by session1
| eval session2=if(_time - session_min <= 3600, "T","N")
| eval tmp=session1.session2
| streamstats dc(tmp) as session3
| stats count as COUNT min(_time) as _time by USERNUMBER WEBSITE session3
| eval VISITDATE=strftime(_time,"%m/%d/%Y %T")
| table VISITDATE,USERNUMBER,WEBSITE,COUNT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srive326
Explorer
05-01-2020
11:42 AM
Hi,
Thank you so much for your answer. I implemented it on my data and I noticed that there is one thing I should add. There can be multiple users/USERNUMBER so using
|autoregress _time as prev_time
on my data has the effect of using another users previous time instead of the prev_time specific to that user. Is there a way I can make the |autoregress _time as prev_time conditional to the USERNUMBERs so that for example each unique USERNUMBER will have null for the first time they visit a site on the prev_time column. Thank you again for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-01-2020
01:28 PM
use streamstats current=f last(_tme) as prev_time by USERNUMBER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srive326
Explorer
05-04-2020
01:37 PM
That worked perfectly, thank you!
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
