Re: Counting the number of sessions with more than...

KyleMcDougall · ‎06-03-2022

I'm trying to count the number of sessions (known as sessionId) that have more than 2 intents. (An intent is a field value). And also include the total number of sessions, including sessions with 0 or 1 intents.

I can't figure out the concept for this query.

index=conversation botId=ccb
| eval intent_total=if(intent=*, 1, 0)
| stats sum(intent_total) by sessionId
| where intent_total > 2
| table sessionId intent_count

venky1544 · ‎06-07-2022

Hi @KyleMcDougall

when you say 2 buckets can you please elaborate do you mean you want two panels in a dashboard ?? are can you share a sample output

note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated

venky1544 · ‎06-07-2022

hi @KyleMcDougall

Have you tried the transaction command this command should group based on sessionID and would give you an eventcount which gives you an idead about the number of intent related to each sessionID whether its 0 or 1 intent and 2 or more intent

|transaction sessionId

just an example

Thanks

venky

note:- if it helps karma points are appreciated/if it resolves solution acceptance is appreciated

sperkins · ‎06-03-2022

Do you have a couple sample events to work the search against.

Because in this event with the eval you are doing, it looks like it will only return values of 1 or 0 for intent_total. So I don’t think you can use that to | where >2 against.
Unless you are trying to do |where against the new field that is sum in which case it should be written
| stats sum(intent_total) as intent_total by sessionId

KyleMcDougall · ‎06-03-2022

I listed 2 sample events below. This is query for a chatbot platform. A conversation between a user and the bot is referred to as a session. A user can hit multiple intents in a session.

I'm trying to group sessions with 0 or 1 intents, and sessions with 2 or more intents.

My original query was just a poor attempt to get to this data.

2022-06-03T19:25:53,135+0000 [INFO ] level=INFO  [RxCachedThreadScheduler-10]-[sessionId=0d326922-5526-4ca9-bdf8-c74b9bf665c8 test=false botId=ccb offl_TKT=false proto=V2 platform=WEB input_type=TEXT sku= pn= cid=3fd323ae-5958-4538-8e92-15567ad6d39e convo=]-[FulfillmentServiceImpl]-[381 ] Processing intent: intent=payroll.help_preferences_standard conversation=payroll.help_preferences_standard 
index = conversationintent = payroll.help_preferences_standardlinecount = 1punct = --::,+_[_]_=__[-]-[=----_=_=----_=_=----_=----_=_=sessionId = 0d326922-5526-4ca9-bdf8-c74b9bf665c8splunk_server
6/3/22
12:25:53.133 PM	

2022-06-03T19:25:53,133+0000 [INFO ] level=INFO  [RxCachedThreadScheduler-10]-[sessionId=0d326922-5526-4ca9-bdf8-c74b9bf665c8 test=false botId=ccb offl_TKT=false proto=V2 platform=WEB input_type=TEXT convo=]-[AnalyticsServiceImpl]-[129 ] cuidata=true type=user intent=payroll.update_account confidence=1.0 feedback=false handled=true message="Configurer la paie"; 
index = conversationintent = payroll.update_account = 1punct = --::,+_[_]_=__[-]-[=----_=_=----_=_=----_=----_=_=sessionId = 0d326922-5526-4ca9-bdf8-c74b9bf665c8

sperkins · ‎06-07-2022

index=conversation botId=ccb
| eval intent_count=if(like(intent,"%"), "1", "0")
| stats sum(intent_count) as intent_count by sessionId
| addtotals col=t row=f labelfield=sessionId intent_count
| where intent_count >= 2

This should only show a Total count and the sessionId's with over two intents.

KyleMcDougall · ‎06-07-2022

Thank you! This is very helpful.

How do I group these into 2 buckets? First bucket is sessions with 0-1 intent_count, and second bucket is => 2 intent_count.

sperkins · ‎06-07-2022

index=conversation botId=ccb
| eval intent_count=if(like(intent,"%"), "1", "0")
| stats sum(intent_count) as intent_count by sessionId
| where intent_count >= 2
| addtotals col=t row=f labelfield=sessionId label="Total Sessions with More Than 2 Intents"
| append [search index=conversation botId=ccb | eval intent_count=if(like(intent,"%"), "1", "0")
| stats sum(intent_count) as intent_count by sessionId
| addtotals row=f col=t labelfield=sessionId label="Total Sessions with Less Than 2 Intents"
| where intent_count < 2]
| search sessionId="Total Session*"

This will return the results with two different column totals. The last Search is just a filter to only the totals will show, but if you want the sessionId's to be listed as well you can just take out that last line.

Is this more what you were looking for?

KyleMcDougall · ‎06-07-2022

Yes, this seems like it would be exactly what I'm looking for, but it's only displaying one line. I can't get it to show the "Less than 2 intents" line.

I only see the counts for "Total Sessions with More than 2 Intents."

I think the "| where intent_count >= 5" line is filtering results for the entire query, which is why it's not showing counts for less than 5.

Could a "bin" command work instead?

sperkins · ‎06-08-2022

index=conversation botId=ccb
| eval intent_count=if(like(intent,"%"), "1", "0")
| stats sum(intent_count) as intent_count by sessionId
| where intent_count >= 2
| addtotals col=t row=f labelfield=sessionId label="Total Sessions with More Than 2 Intents"
| append [search index=conversation botId=ccb | eval intent_count=if(like(intent,"%"), "1", "0")
| stats sum(intent_count) as intent_count_small by sessionId
| addtotals row=f col=t labelfield=sessionId label="Total Sessions with Less Than 2 Intents"
| where intent_count_small < 2]
| search sessionId="Total Session*"

Maybe changing the intent count field name will eliviate that. I am not sure if bin would work, but it could!

How to count the number of sessions with more than one intent?

stats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor