- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: Transaction with subsearch match time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction with subsearch match time
index=server sourcetype=logtype search_string!="" action=search
[search index=app userID=* pageID=alphnum1234 | dedup userID | table userID]
|<regex field definitions including #of total search |tableresults returned>
|transaction maxspan=1h maxpause=15m userID mvlits=true
|search totalHits=* search_string=*
|eval search_transaction=mvjoin(search_string,",")
|table _time,userID,search_transaction,totalHits,....
So, I'm not certain I am taking the best approach. Maybe if I just describe what I'm trying to do, someone in the community will have a better idea.
-
Problem:
I have two applications, one called search and another called pageviewer. To a user, they don't realise the difference. However, in the data, the actions in search and the pageviewer page loads are two different events happening near the same time.
My goal is to have the list of search strings that lead users to a page, so that I can prepare a report by pageId with a list of key terms.
-
Today, I am using a transaction command to group searches by user. However, I only want searches from users that viewed the page of interest. My trouble, using my current method, is that the users can view the page any time and I am only interested in their search values if it is near the same time they viewed the page.
-
Code:
index=server sourcetype=logtype search_string!="" action=search
[search index=app userID=* pageID=alphnum1234 | dedup userID | table userID]
|<regex field definitions including #of total search |tableresults returned>
|transaction maxspan=1h maxpause=15m userID mvlits=true
|search totalHits=* search_string=*
|eval search_transaction=mvjoin(search_string,",")
|table _time,userID,search_transaction,totalHits,....
-
My problem here is that a user could view a page at any time, so if I'm looking across 30 days of events, if that user viewed the page once in the 30 days but also 10 others pages on different days, then I get all of the search results not just the ones near the time the page of interest was opened. This leads to lots of irrelevant results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
can you give to us some obscured samples of events?
t. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Provide a grouped list of search strings (transaction by user) , however restrict this list only to userIDs who load the page on the same day as the page load.
Example event
[timestamp] [userID=anonymabcd] [action=load ..<more fields>... pageID=abc_1234]
[timestamp] [userID=anonymabcd] [action=search ..<more fields>.... search_string="user typed free text in searchbar"]
-
Actually, after looking closer, in this case they are in the same index, only the log type varies by action (load vs. search). Either way, the problem remains the same, to restrict the subsearch of the page load to an evaluated time difference from the search action.
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
