Active users provide a real-time measurement of load on the system, which can be helpful in multiple circumstances. If active users are low, for example during the early morning hours, it may be appropriate to proceed with a maintenance activity that could result in downtime or user disruption. Similarly, tracking active users during known peak times helps to gain an appreciation for the use of the system and the impact unexpected degradations can have on the user base. For these reasons, you need a search that can provide active user counts.
- Ensure you are have deployed a web server add-on to the search heads so that web server data tags and fields are defined. This sample search uses the Splunk Add-on for Apache Web Server, but you can replace this source with any other web server data used in your organization. For more information, see About installing Splunk add-ons.
- If you’re using The Splunk Add-on for Apache Web Server, make sure to configure log formatting on the Apache Web Server as described in the following link. This step will make sure you have all the required fields present in apache_access.log and especially the response time value needed for this procedure. For detailed configuration steps, see Configure log formatting on the Apache Web Server using httpd.conf.
- Choose a critical page on your site to filter on.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
tag=web site=<URL of critical page> |eval unique_user_info = src_ip.http_user_agent |timechart span=15m aligntime=now dc(unique_user_info)
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search for events that are tagged as web events.
|site=<URL of critical page>||
Search only the site you want to see the number of users on. For example, site=www.mysite.com.
||eval unique_user_info = src_ip.http_user_agent||Search for unique users to a specified site and name the field unique_user_info.|
||timechart span=15m aligntime=now dc(unique_user_info)||
Graph the distinct count of unique users to a specified site in 15-minute time increments. Use "now" to refer to the number of users at the current time.
The search produces a line chart that shows unique users, as described above. It gives a visual of concurrent users over time and visualizes peaks and valleys over time. The timeframe should be selected according to organizational needs. It can be limited to only working hours, business days, or weekends. Concurrent usage is often useful for capacity planning or measuring interest in the content the site presents.