Archive

Grouping by two fields, want to get distinct count of values in second field

Explorer

Hi,

I wrote the following Splunk query which returns a list of distinct USERAGENTs for each SESSIONID:

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats count by SESSION_ID, USER_AGENT

I would now like to modify this query to return a list of SESSIONIDs that have more than one unique value for USERAGENT, and the count of the unique values.

Thanks!
Jonathan

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

View solution in original post

SplunkTrust
SplunkTrust

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

View solution in original post

Explorer

That worked.
Thanks!

0 Karma