I've been asked to create my best case/wished-for Splunk event and our tech team will create it for me. I think I'm in a bit over my
head because I don't know what "best" should look like.
These events are ONLY for the analytics team at the office to do work, these have no purpose outside of our team. I'm pulling data from google analytics and our cookie for users.
Here's what I've come up with so far.
[2016-05-19 12:04:25,979] [ACTION-Track]
[id=1521775661u1442616559]
[utma_1_first=91689306]
[utma_2_first=1526771661]
[utma_3_first=1412616559]
[utma_4_first=1452136054]
[utma_5_first=1464900787
[utma_6_first=211]
[ip_first=255.255.255.255]
[device_akamai_first=MOBILE]
[device_extra_first=MOBILE]
[country_first=US]
[state_first=NY]
[city_first=NEWYORK]
[lat_first=40.7500]
[long_first=-73.9967]
[loggedin=0]
[server_session_id=05B19CF1665B8AC5A8913A3F6FA01DE9]
[utma_1_event=99681306]
[utma_2_event=1811900925]
[utma_3_event=1464912789]
[utma_4_event=1464912789]
[utma_5_event=1464902189]
[utma_6_event=1]
[utmb_1_event=99189306]
[utmb_2_event=1]
[utmb_3_event=10]
[utmb_4_event=1464900717]
[utmc_event=99189306]
[utmz_1_event=99619306]
[utmz_2_event=1456521385]
[utmz_3_event=201]
[utmz_4_event=11]
[utmz_utmcsr_event=admin1:1011]
[utmz_utmccn_event=(referral)]
[utmz_utmcmd_event=referral]
[utmz_utmcct_event=/admin/index.jsp]
[ip_event=255.255.255.2]
[device_akamai_event=NDV]
[device_extra_event=MOBILE]
[country_event=US]
[state_event=NY]
[city_event=NEWYORK]
[lat_event=40.7500]
[long_event=-73.9967]
[basket_event=zzDefault~198840000000~011`~JHUN~198540000000~002`~ORLANDO~198540000000~021]
[step_event=0]
[url_event=/product/cart/qty.html?token=1411464901183199&referrer=http://www.XXXXX.com/gifts/]
[q_size=10]
[dv=NDV]
Here's what I wonder:
* does it make sense to create the field-ready lines in the event? "utma_1_first=" or would it be better to extract them in the events?
* is it better to use new lines, or should it be one long line?
↧