Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the number of "unique" request with splunk

ChrisJack
New Member
‎08-17-2011 07:33 AM

We are currently looking for a way to find the number of "unique" request for a given event type with splunk. Like the number of user that hit a 404, but i don't care if a user hit it twice or 10 times, I just want the number of user that had that error. Is there anyway to do that with splunk ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎08-17-2011 08:07 AM

Use the stats operator dc (an alias for distinct_count). Let's say you have the fields httpResponseCode and user. To get a count of how many users got an httpResponseCode of 404, regardless of how many times each user got it, you'd do:

httpResponseCode=404 | stats dc(user)

More information on the dc stats function, along with others, is available here: http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎08-17-2011 08:07 AM

Use the stats operator dc (an alias for distinct_count). Let's say you have the fields httpResponseCode and user. To get a count of how many users got an httpResponseCode of 404, regardless of how many times each user got it, you'd do:

httpResponseCode=404 | stats dc(user)

More information on the dc stats function, along with others, is available here: http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

Reply
Solved! Jump to solution

Ayn
Legend
‎08-17-2011 12:34 PM

Yes, that should work fine.

0 Karma
Reply
Solved! Jump to solution

ChrisJack
New Member
‎08-17-2011 10:41 AM

Our user is extracted from the request using a extract field.

Example : localhost_access_log : EXTRACT-myUser =
(?i)/users/(?P[^/]+)

Will I be able to go : httpResponseCode=404 | stats dc(myUser)

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...