Splunk Search

How to display individual URI counts by user with timechart or stats?

Path Finder

I am looking to display individual URI count by User on a timechart. Is this possible?

My current search returns the monthly total Accesses by User. I would like to see the monthly Access count of each URI by User

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| timechart span=1mon count by Name limit=0 

If this is not possible on a timechart, can it be done in a statistics chart?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Depends upon how many unique combinations you've for Name and URI, try this

For smaller number- timechart

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | timechart span=1mon count by Name limit=0 

Stats

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | bucket span=1mon _time | stats count by _time Name URI

View solution in original post

0 Karma

Path Finder

Thanks for your help guys, much appreciated.

0 Karma

Esteemed Legend

Like this:

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| eval URI_and_User = URI . "::" . User | timechart span=1mon count BY URI_and_User limit=0

Because timechart can only breakout a single BY field, we are combining 2 fields into 1 and breaking out BY that one.

Legend

Try this

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User| bin span=1mon _time as time | eval t=time."#".uri | chart count over t by Name | rex field=t (?<Time>[^#]+)#(?<URI>.*)" | eval Time=strftime(Time, "%x %X")
0 Karma

SplunkTrust
SplunkTrust

Depends upon how many unique combinations you've for Name and URI, try this

For smaller number- timechart

 index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | timechart span=1mon count by Name limit=0 

Stats

index=* sourcetype=* User="*" Download "https://abc.com/content/mobile" | eval URI=case(match(_raw,"DailyNotes"), "DailyNotes",match(_raw,"Stock"),"Stock",match(_raw,"Sector"),"Sector",match(_raw,"Search"),"Search" ) | eval User=lower(User) | lookup  lookup1.csv user_id as User | eval Name=Name.":".URI | bucket span=1mon _time | stats count by _time Name URI

View solution in original post

0 Karma