Splunk Search

How to find unique and returning visitors after grouping access log events into transactions?

ashnet16
Path Finder

Hello all,

I'm analyzing some access logs where I'm trying to determine unique and returning visitors. So far, I've grouped my events into transactions with the following:

sourcetype=access_*  
| transaction clientip maxpause=1h keepevicted=t mvlist=t 
| eval user_type=case(eventcount>=1,"Entrance") 

and now I'm trying to figure out how to go from there to obtain unique and returning visitors.

Thanks!

Tags (3)
0 Karma

lguinn2
Legend

Okay, starting from your search:

sourcetype=access_*  
| transaction clientip maxpause=1h keepevicted=t mvlist=t 
| eval user_type=case(eventcount>=1,"Entrance")

I am not sure what user_type means. The eventcount is the number of events within a single transaction, not the number of times a user has appeared.

I would do this

sourcetype=access_*  
| transaction clientip maxpause=1h keepevicted=t mvlist=t 
| stats count by clientip
| eval status=if(count==1,"New","Returning")
| stats count by status
| eval TotalUniqueUsers=New+Returning

You should end up with two columns of output - New contains the number of clientip addresses that appear only once, and Returning is the number that appear multiple times.

0 Karma

ashnet16
Path Finder

Thanks for your help. I'll try this. I should have given a little more background. Example: a user entering a website(including all pages) for the first time could view multiple pages. As a result, the clientip would appear multiple times, each as an event, and thus returning the user as a returner;that's why I grouped events into transactions.... to count each transaction as an event. From there, I want to obtain the count of new users vs returning users.

0 Karma

ashnet16
Path Finder

sourcetype=access_* | transaction clientip maxpause=1h keepevicted=t mvlist=t | eval user_type=case(eventcount>=1,"Entrance") | dedup clientip ?

0 Karma

jchang23
Explorer

| dedup userID

to figure out unique visitors?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...