topic Re: Count unique values of a field in one result in Splunk Search

Count unique values of a field in one result

valentin_bogdan — Mon, 27 Jul 2015 12:55:44 GMT

I have the following result from a simple search:

I, [2015-07-23T15:30:39+02:00 (1437658239.654) #38640]  INFO -- ccceedb1a97f382d192a93fab686319b
[...]
"GET /?sid=ccceedb1a97f382d192a93fab686319b 
[...]
https://[...]?sid=756a0279d436826f3ad51ba00f49d65d" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 (PSBrowserEmbedded) Safari/537.36" [...]

(part of the search result hidden due to confidentiality requirements)

However, it is not a normal behavior of the system for 'sid' to have two different values in one result. So I'm trying to find all results for a certain time frame where there are multiple values (i.e. more than one unique value) of 'sid' in one result. I'm guessing it should be something similar to this:
http://answers.splunk.com/answers/105397/count-unique-values-from-a-text-result.html

But in one result.

How can I do this?

Re: Count unique values of a field in one result

krishnarajapant — Mon, 27 Jul 2015 13:16:00 GMT

stats dc(field)

you can extract the field or use can user regualrexpression.

-Krishna Rajapantula

Re: Count unique values of a field in one result

valentin_bogdan — Mon, 27 Jul 2015 14:21:39 GMT

Thanks krishnarajapantula,

However, this doesn't seem to work for me. The search brings me no results (having the same time range as the initial search).

I was thinking it might be a bit more complex search, but am open to try any other suggestions.

Re: Count unique values of a field in one result

somesoni2 — Mon, 27 Jul 2015 14:49:01 GMT

If Splunk is already identifying the field 'sid' for you as multivalued field for events having multiple values of it, try this:-

your base search | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)

If the field sid is not extracted by Splunk automatically, try this

your base search | rex max_match=0 "sid=(?<sid>\w+)" | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)

Re: Count unique values of a field in one result

neelamssantosh — Mon, 27 Jul 2015 15:39:55 GMT

Hi Valentin,

U can use |transaction command which will group with respect to session ID's..

your base search | rex "(?im)sid=(?\w+)" | transaction sid | stats count by sid

Hope it will help.

Re: Count unique values of a field in one result

valentin_bogdan — Tue, 28 Jul 2015 07:46:50 GMT

Thank you somesoni2,

Your answer seems to have worked best for me and returns results as I needed. Apparently, 'sid' is not extracted automatically by Splunk, so I had to use the second suggestion.

Thanks to everyone for looking into this.