- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- transaction to retrive value then make eval
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
transaction to retrive value then make eval
Dear community,
I have the following scenario:
User can make many actions, in this case we can have action equals search, result clicked, or load. Each action type has its own log format with many overlapping fields.
I want to count a click index rank, a field of the action = result clicked. However, I want to sort these by pages with this highest or lowest index rank. However, the page value for action= result clicked is the search results page, i.e. page="/search?query=example". The page I want is in the action=load, and will always be the next action of the user, i.e. action=load page=/usergude/exampletopic.html.
So, I'm using the search transaction here to group the journey by customer, but really I want an event that groups the next load action for a specific user following a result clicked, but so that I can make stats on the whole environment.
Any ideas?
Example scenario: Find pages with a low average resultIndex clicked.
user=name action=search query=example
user=name action=resultClicked page=/search?examplequeryfromuser
user=name action=load page=/userguide/exampletopic/theactualpageuserclicked.html
What is the average click rank ? [ for page /userguide/exampletopic/theactualpageuserclicked.html ]
Example base search:
index=server sourcetype=stats action!=pageChanged
| rex field=_raw "query=\"(?<query_quotes>.*)\",filters"| rex field=searchIndex "\[(?<filts>.+)\]"
| rex max_match=0 field=filts "\"(?<index_select>[\w :-]+)\""
| rex field=product_name "\[(?<prods>.+)\]"
|transaction email maxspan=1h maxpause=15m mvlist=true nullstr="-"
| eval usercode=mvdedup(instcode), time_spent_searching=round(duration/60, 4)
| search action=resultClicked query_quotes!="" query_quotes="*" query_quotes="*" publicationId="*" OR NOT publicationId="*"
|eval searchTransaction=lower(query_quotes)
| table custcode publicationId topic searchTransaction action, resultIndex, time_spent_searching,page
| rename time_spent_searching as "Minutes Spent Searching", prods as "Product Filter Selected"
Produce something like
| customer code | publication | topic / page | search string | action | resultIndex | Minutes spent searching | page |
| usernumber | - | - | how to login | search | - | 10.79 | /search |
| - | - | how to login | resultClicked | 3 | /search?how_to_login | ||
| product_operation_guide | login.htm | - | - | Load | - | /publications/productoperationsguide/2.0?topic=login.htm | |
| product_operation_guide | reset.htm | - | - | Load | /publications/productoperationsguide/2.0?topic=reset.htm |
I want to see that the average click rank is 3 for page=/publications/productoperationsguide/2.0?topic=login.htm. Of course, there would be many users who click on the same page, after searching any number of search strings.
Business goal:
Provide pages with the lowest click rank where the query contains the key term login
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
