I am basically trying to create a timeline (https://splunkbase.splunk.com/app/3120/) that will show the average duration the users spend on each page at the relative time they accessed it.
Essentially it should look similar to this:
Where each line is a different page(sorry to cut the page names off: confidentiality and all that jazz)
What I need help on is:
*How do I turn the time each event occurred into a relative time for each user? *
e.g. I want to take something like this:
user_A event_1 ---> page_1 timeA_1 durationA_1
event_2 ---> page_2 timeA_2 durationA_2
user_B event_1 ---> page_1 timeB_1 durationB_1
event_2 ---> page_2 timeB_2 durationB_2
And turn it into this:
page_1 avg(time_since_start_1) avg(duration_1)
page_2 avg(time_since_start_2) avg(duration_2)
Right now, I have this pretty simple search for the single user:
| sort _time
| table _time x_page_name user duration
I've tried to expand this using transactions like this:
MAIN SEARCH STUFF user=*
[ transaction user
| eval earliest=info_max_time
| eval stime= round(_time-earliest,0)]
| sort stime
| table stime x_page_name user duration
But, alas, I have had no luck.
Any suggestions are appreciated. If you think of a better approach to solving this I would love to know!
... View more
I am trying to compare two time windows in the same index but I would like the chart comparing them to be based on a specified name of those time ranges rather than on time.
Release_A = October 2nd
Release_B = September 20th
(index=.... url=* earliest="10/02/2019:00:00:00" latest="10/02/2019:23:59:59") OR (index=... url=* earliest="09/20/2019:00:00:00" latest="09/20/2019:23:59:59")
| chart avg(seconds) by _time span=1d
I want the chart x-axis values to be Release_A and Release_B rather than a timeline.
Any advice on how to do this would be very appreciated.
... View more