Create a table for your events, with columns IP, event time and event timestamp. The timestamp will help you calculate the time period between consecutive events (tip: use "eval")
Sort this table by IP and then by event time.
Use "streamstats" to handle your search results in a streaming manner. Add the option current = f (false) to handle every new event individually.
Compare the new event's user and timestamp with your last kept event.
- If the new IP is different from the previous IP, keep the event (remember that our table is primarily sorted by IP, so we deal with all requests from each IP at a time)
- If the difference between the new event's timestamp and the last kept timestamp is more than 3600 seconds, keep the event.
- If the last kept IP is null, it means we are dealing with our first event, so keep the event.
- Drop all other events.
Perform a count over your previous search to obtain the total number of visits.
tip: keeping specific events with streamstats can be done using the "where" command
... View more