Databases Reference
In-Depth Information
To discard the transactions that do not contain
q=1
, add a
search
command:
[search sourcetype="impl_splunk_web" q=1
| stats count by uid
| fields uid]
sourcetype="impl_splunk_web"
| transaction maxpause=5m startswith="q=1" uid
| search q=1
Finally, let's add
stats
to count the number of transactions, the distinct values
of
uid
, the average duration of each transaction, and the average number of clicks
per transaction:
[search sourcetype="impl_splunk_web" q=1
| stats count by uid
| fields uid]
sourcetype="impl_splunk_web"
| transaction maxpause=5m startswith="q=1" uid
| search q=1
| stats count dc(uid) avg(duration) avg(eventcount)
This gives us a table as shown in the following screenshot:
We can swap
timechart
with
stats
to see how these statistics change over time:
[search sourcetype="impl_splunk_web" q=1
| stats count by uid
| fields uid]
sourcetype="impl_splunk_web"
| transaction maxpause=5m startswith="q=1" uid
| search q=1
| timechart bins=500 avg(duration) avg(eventcount)
This produces a graph as shown in the following screenshot:
Search WWH ::
Custom Search