![]() Lost revenue or abandoned basket: |inputlookup sessions.csv | stats count(eval(like(requests,"% addtocart %") AND NOT like(requests,"% checkout/success %"))) AS AbandonedBasket Which sessions included the “Add to cart page” and not the Checkout success page? E.g. Which sessions included the “Checkout success page”? – Conversion rate: |inputlookup sessions.csv | stats count(eval(like(requests,"%checkout/success%"))) AS Checkout Which sessions included the “Add to cart page”? – Good KPI to measure: |inputlookup sessions.csv | stats count(eval(like(requests,"%addtocart%"))) AS AddToCart We can also calculate other useful metrics based on this session data: | outputlookup append=t createinapp=t sessions.csvįor each entry in the lookup we calculate some key metrics such as the number of pageviews, duration or referring URL. This can be used as a base for searches and make them run much faster: This system can be productionized by appending the output of the above, to a lookup in a scheduled search that runs every 10 minutes. The session key is generated from the user key, with the addition of the _time field. The above search generates a synthetic user key based on the user agent and client ip for the web request to identify each user. | table _time,user,http_session,http_session_start,http_session_end,http_session_pageviews,http_session_duration,http_session_referer,requests, times | eval http_session_referer=replace(http_session_referer,"^*_","") | eval http_session=md5(clientip."_".useragent."_"._time)Ĭount(request) AS http_session_pageviews,įirst(duration) as http_session_duration, | transaction clientip useragent maxpause=30m maxspan=4h keepevicted=f | fields _time time referer clientip useragent request Index=mywebserverlogs sourcetype=access_combined NOT file=* status=200 This is a simple example of device fingerprinting: Now, what if you don’t have the user information in the data either? The example below generates an artificial user based on the user agent string and the ip address. If any of these rules are reached, this will be counted as a new session. For website sessions, the industry standard is to link all visits from a user with a maximum break between interactions of 30 minutes, and a maximum session length of 4 hours. However, it can be done with Splunk by using a combination of queries, lookups and possibly data models.įirstly, create a query that accurately represents a session based on the information available. Calculating and generating session data (sessionization), and maintaining multiple KPIs against these sessions requires a lot of compute. The problem is that web server logs do not always contain session information. All KPI’s and metrics should be counted per session, not per page view. If a user goes to a website and views 100 pages, this should be monitored as one session, as this is one interaction between the user and your company. However, it is of limited value when it comes to measuring things from the user’s perspective. Measuring these alone can be beneficial when ranking page popularity or problematic pages. Each page viewed by a visitor would generate an entry in the web server log file. Sourcetype=x OR sourcetype=y | stats range(_time) as duration, count by sessionIDĪnother example where this is useful would be for website web server logs. Sourcetype=x OR sourcetype=y | transaction sessionID An example query could be something like this: However, Splunk can help join these dots to quickly perform a root cause analysis, and report metrics and KPIs on the service or process being monitored.Ĭommon Splunk search commands for combining events are transaction or stats. In this complex transaction, it can be tricky to quickly find the source of the problem. If something goes wrong in any of these systems, the payment might not go through. This real world event triggers a flurry of events in a large number of systems with the card provider, the bank, and the retailer before the transaction is fully settled. Imagine a customer tapping their bank card on a payment terminal to purchase something in a shop. ![]() This concept is extremely useful if you want to link multiple events across data sources, that all relate to the same real world event. Splunk can also combine multiple events to visualize transactions, business processes and sessions. Splunk is a powerful tool that can analyze and visualize raw data, in all its forms. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |