Skip to main content


Splunk Lantern

Long-term trends in web server user load

You might want to track unique users accessing a site over time when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


Long-term trending of user load provides a strong indication of usage and adoption trends for the site. When long-term user load is correlated with resource consumption like cpu, disk, and memory usage, the resulting data can help with capacity planning where usage and adoption is expected to continuously increase. Alternatively, in cases where usage and adoption is expected to increase, but does not, it could be an indicator of a failed marketing campaign, a problematic onboarding or customer experience problem, or a similar problem. For these reasons, you need a search that will enable you to see these trends in user load.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Add-on for Apache Web Server. You can replace this source with any other web server data used in your organization. 

  1. Verify you deployed a web server add-on to the search heads, so that the needed tags and fields are defined. For more information, see About installing Splunk add-ons.
  2. Choose a specific site you want to measure usage and adoption trends on.
  3. Run the following search: 
tag=web site=<URL of critical site>
|eval unique_user_info = src_ip.http_user_agent
|timechart span=15m dc(unique_user_info) AS unique_users

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search for events that are tagged as web events.

site=<URL of critical site>

Search only the site you want to use as a baseline. For example,

For a broader measure of web server user load, you can eliminate this line from the search.

|eval unique_user_info = src_ip.http_user_agent


Search for unique users to a specified site and name the field unique_user_info. 

|timechart span=15m dc(unique_user_info) AS unique_users

Return the distinct count of unique users to a specified site. Plot the distinct count of unique users over time at 15-minute increments.


If, over time, the data show an increase in the number of unique users, you might want to show response times on the same dashboard so that capacity planning or optimization decisions can be made and mitigation planned 

  • Was this article helpful?