You might need to obtain a count of users on a site at a given time when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Web server data
Active users provide a real-time measurement of load on the system, which can be helpful in multiple circumstances. If active users are low, for example during the early morning hours, it may be appropriate to proceed with a maintenance activity that could result in downtime or user disruption. Similarly, tracking active users during known peak times helps to gain an appreciation for the use of the system and the impact unexpected degradations can have on the user base. For these reasons, you need a search that can provide active user counts.
To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Add-on for Apache Web Server. You can replace this source with any other web server data used in your organization.
- Verify you deployed a web server add-on to the search heads, so that the needed tags and fields are defined. For more information, see About installing Splunk add-ons.
- If you’re using The Splunk Add-on for Apache Web Server, make sure to configure log formatting on the Apache Web Server as described in the following link. This step will make sure you have all the required fields present in apache_access.log and especially the response time value needed for this procedure. For detailed configuration steps, see Configure log formatting on the Apache Web Server using httpd.conf.
- Choose a critical page on your site to filter on.
- Run the following search:
tag=web site=<URL of critical page> |eval unique_user_info = src_ip.http_user_agent |timechart span=15m aligntime=now dc(unique_user_info)
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search for events that are tagged as web events.
|site=<URL of critical page>||
Search only the site you want to see the number of users on. For example, site=www.mysite.com.
||eval unique_user_info = src_ip.http_user_agent||Search for unique users to a specified site and name the field unique_user_info.|
||timechart span=15m aligntime=now dc(unique_user_info)||
Graph the distinct count of unique users to a specified site in 15-minute time increments. Use "now" to refer to the number of users at the current time.
The search produces a line chart that shows unique users, as described above. It gives a visual of concurrent users over time and visualizes peaks and valleys over time. The timeframe should be selected according to organizational needs. It can be limited to only working hours, business days, or weekends. Concurrent usage is often useful for capacity planning or measuring interest in the content the site presents.