Hello all,
I'm analyzing some access logs where I'm trying to determine unique and returning visitors. So far, I've grouped my events into transactions with the following:
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| eval user_type=case(eventcount>=1,"Entrance")
and now I'm trying to figure out how to go from there to obtain unique and returning visitors.
Thanks!
Okay, starting from your search:
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| eval user_type=case(eventcount>=1,"Entrance")
I am not sure what user_type
means. The eventcount
is the number of events within a single transaction, not the number of times a user has appeared.
I would do this
sourcetype=access_*
| transaction clientip maxpause=1h keepevicted=t mvlist=t
| stats count by clientip
| eval status=if(count==1,"New","Returning")
| stats count by status
| eval TotalUniqueUsers=New+Returning
You should end up with two columns of output - New contains the number of clientip addresses that appear only once, and Returning is the number that appear multiple times.
Thanks for your help. I'll try this. I should have given a little more background. Example: a user entering a website(including all pages) for the first time could view multiple pages. As a result, the clientip would appear multiple times, each as an event, and thus returning the user as a returner;that's why I grouped events into transactions.... to count each transaction as an event. From there, I want to obtain the count of new users vs returning users.
sourcetype=access_* | transaction clientip maxpause=1h keepevicted=t mvlist=t | eval user_type=case(eventcount>=1,"Entrance") | dedup clientip ?
| dedup userID
to figure out unique visitors?