Is there a way in Splunk to determine how a user arrived at a destination IP? Did they click a link from a certain webpage, or did they go there directly?
Another way to look at it is if there is a way to separate user activity from webpage activity. Websites automatically load advertisements and other content automatically within a second, or a very small time interval. Users on the other hand are scrolling, clicking on a link, then clicking on another link which takes a significantly longer amount of time.
Being able to consolidate web page activity where dozens of destination addresses are accessed within 5 seconds into a single event where just the first record is shown would help to reduce the number of results returned when you're looking at a time window containing several thousand records.
Hi @redhonda03_2,
the only answer to this question brings two other questions:
if the answer is yes to both my answers, it's possible.
You have only to correlate events identifying the transaction keys (e.g. the username).
Ciao.
Giuseppe
Hi Guiseppe,
Regarding you questions, yes we have have web logs and yes they are being set to splunk. You mentioned "transaction keys", is this different that values listed in one of the 'interesting fields' listed in the Splunk search?
Hi @redhonda03_2,
as "transaction_key" I mean a common field that can be used to correlate different data, e.g. username, transaction_id, etc....
Having this field you can correlate data from different data source, otherwise it's really difficoult to create a correlation.
Ciao.
Giuseppe