Hello, I'm trying to define a successful search vs. unsuccessful. I define successful search as one with a click. I then want to sort by the top queries without clicks to identify content gaps. I have two logs, one where action=search and another where action=resultClicked. Both logs have the query value and a userId.  Maybe there is a better way, but I'm struggling to bin and match. All resultClicked logs correspond to an action search log and where the userId is the same and within 1h, we can be certain that all others that do not have a match are unsuccessful.  How would you try?    ... View more

Dear community, I have the following scenario: User can make many actions, in this case we can have action equals search, result clicked, or load. Each action type has its own log format with many overlapping fields.   I want to count a click index rank, a field of the action = result clicked. However, I want to sort these by pages with this highest or lowest index rank. However, the page value for action= result clicked is the search results page, i.e. page="/search?query=example". The page I want is in the action=load, and will always be the next action of the user, i.e. action=load page=/usergude/exampletopic.html.   So, I'm using the search transaction here to group the journey by customer, but really I want an event that groups the next load action for a specific user following a result clicked, but so that I can make stats on the whole environment.   Any ideas?   Example scenario: Find pages with a low average resultIndex clicked. user=name action=search query=example user=name action=resultClicked page=/search?examplequeryfromuser user=name action=load page=/userguide/exampletopic/theactualpageuserclicked.html   What is the average click rank ? [ for page /userguide/exampletopic/theactualpageuserclicked.html ]   Example base search:   index=server sourcetype=stats action!=pageChanged | rex field=_raw "query=\"(?<query_quotes>.*)\",filters"| rex field=searchIndex "\[(?<filts>.+)\]" | rex max_match=0 field=filts "\"(?<index_select>[\w :-]+)\"" | rex field=product_name "\[(?<prods>.+)\]" |transaction email maxspan=1h maxpause=15m mvlist=true nullstr="-" | eval usercode=mvdedup(instcode), time_spent_searching=round(duration/60, 4) | search action=resultClicked query_quotes!="" query_quotes="*" query_quotes="*" publicationId="*" OR NOT publicationId="*" |eval searchTransaction=lower(query_quotes) | table custcode publicationId topic searchTransaction action, resultIndex, time_spent_searching,page | rename time_spent_searching as "Minutes Spent Searching", prods as "Product Filter Selected"   Produce something like   customer code publication topic / page search string action resultIndex Minutes spent searching page usernumber - - how to login search - 10.79 /search   - - how to login resultClicked 3   /search?how_to_login   product_operation_guide login.htm - - Load - /publications/productoperationsguide/2.0?topic=login.htm   product_operation_guide reset.htm - - Load   /publications/productoperationsguide/2.0?topic=reset.htm I want to see that the average click rank is 3 for page=/publications/productoperationsguide/2.0?topic=login.htm. Of course, there would be many users who click on the same page, after searching any number of search strings.   Business goal: Provide pages with the lowest click rank where the query contains the key term login ... View more

  index=server sourcetype=logtype search_string!="" action=search [search index=app userID=* pageID=alphnum1234 | dedup userID | table userID] |<regex field definitions including #of total search |tableresults returned> |transaction maxspan=1h maxpause=15m userID mvlits=true |search totalHits=* search_string=* |eval search_transaction=mvjoin(search_string,",") |table _time,userID,search_transaction,totalHits,....   So, I'm not certain I am taking the best approach. Maybe if I just describe what I'm trying to do, someone in the community will have a better idea. - Problem: I have two applications, one called search and another called pageviewer. To a user, they don't realise the difference. However, in the data, the actions in search and the pageviewer page loads are two different events happening near the same time. My goal is to have the list of search strings that lead users to a page, so that I can prepare a report by pageId with a list of key terms.  - Today, I am using a transaction command to group searches by user. However, I only want searches from users that viewed the page of interest. My trouble, using my current method, is that the users can view the page any time and I am only interested in their search values if it is near the same time they viewed the page.   - Code:  index=server sourcetype=logtype search_string!="" action=search [search index=app userID=* pageID=alphnum1234 | dedup userID | table userID] |<regex field definitions including #of total search |tableresults returned> |transaction maxspan=1h maxpause=15m userID mvlits=true |search totalHits=* search_string=* |eval search_transaction=mvjoin(search_string,",") |table _time,userID,search_transaction,totalHits,....   - My problem here is that a user could view a page at any time, so if I'm looking across 30 days of events, if that user viewed the page once in the 30 days but also 10 others pages on different days, then I get all of the search results not just the ones near the time the page of interest was opened. This leads to lots of irrelevant results          ... View more

Hello, I have a list of strings that are more meaningful when grouped and viewed together by time. This is great and easy to do in Splunk with the transaction command. However, I need to export this to excel. In the export, the transaction becomes a single line and I want to mimic the format to make the groups easy to read. I get this is probably more of an excel question, but maybe there is some Splunk pre-formatting I can do to make it easier like separate the individual items in a transaction by commas, or something similar. Example of transaction output: I need help | categoryA | _time help help me please what is splunk | category b | _time splunk help please splunk Example of excel extract I need help help help me please | cat a | _time what is splunk splunk help please splunk | cat b | time I want to wrap the values in the excel cell, but I have nothing to note when to wrap and I don't actually know how to wrap a cell. ... View more

Hello, I've always had trouble with automatic lookups and every time I manage to do it it seems that I do it differently many times before it somehow works by magic. I have a lookup table and a lookup definition. In the lookup table and the event logs I have a field to match that is in most events and I want to apply every field in the lookup table (30+ fields) to the events that included the matched field. I've tried it two different ways. I have one table where the field name is different than in the source and I have a second table where the field name is the same. eventlogs: _time,ID,fieldx,fieldy,fieldz. Lookuptable_v1: ID,fielda-fieldw Lookuptable_v2: ID code, field a - field w. I've tried matching the automatic input fields with the source where they were different, ID - ID code (and vice-versa). I've also tried just where the tables have the same field name. Since I have 20+ fields I'm only adding one or two to the output areas until I get it to work, but it is not working. I either get an error that some fields have not been matched, OR it seems just like nothing has happened at all. What gives? ... View more

Hi, So I a page with more than a few urls that represent that same page. However, one of these urls has a value that indicates it has a specific location that indicates promotion. I want to chart on a line graph both the promoted url and all urls that are not the promoted url. I figure I have to use the eval if statement, but what I've done thus far is not working. page=/store/product_abcd1234* -> note this returns many variants of the same page |eval promostatus=if(page="/store/product_abcd1234?source=promoted, promo, nopromo) |chart distinctcount(user) by promostatus I want to count uniquely the number of users who had a referral from the promotion and the number of users who load the entire group of page values (except the promo). I'd like to chart this over time with both lines on the same time graph. ... View more