I have some web traffic data that I am ingesting and would like to display a table showing the URL that was visited, the total number of hits (based off IP) and the unique number of hits (again based off IP). I have a table configured as shown below but I think it's incorrect because Count is just counting all the values in all the events for the given time period. How would I get it to just count the number of events for the time period? The IP field is currently just indexed as a string, if it needs to be indexed as an IP that can also be done.
If I'm understanding correctly what you're asking for, it looks like you have it...
total number of hits (based off IP)
That part is suspect though. What do you mean "total based off IP"? The total (count) you're looking at there is the overall total hit count, regardless of IP. Is that not what you mean?
Maybe I'm misunderstanding the explanation of the count aggregation then.
I understood this to mean that it was counting all fields in all events. So if I have 2 events with 10 fields each, I would get a count of 20.
Ah, no, it's counting all the documents that match a certain combination of buckets, not the number of fields in those documents.
In your case, you are bucketing on ClientRequestURI, so the Count you see on each row is a count of all of the documents that have that value for that field. So that first row is saying you have 38,764 unique IP's and 278,969 total documents with that value for ClientRequestURI.
lol ok so....I've got exactly what I want?
Yeah, I think so, if you're just trying to see the total count for each URI, and the total count of unique IPs for each URI.
It was the "(based off IP)" part that was throwing me, it sounds like you're just looking for total count, which you have.
If you are looking for the total count of each unique IP address (ie. the number of hits from each IP), that's different, and that's not what you are seeing.
Ya sorry. I think what I meant was I want to see the number of hits a URI has received and then the number of unique hits for the given URI. Of the data available, this is the most reliable data point to use for "uniqueness".
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.