Solved: Re: How to get the number of "unique" request with...

ChrisJack · ‎08-17-2011

We are currently looking for a way to find the number of "unique" request for a given event type with splunk. Like the number of user that hit a 404, but i don't care if a user hit it twice or 10 times, I just want the number of user that had that error. Is there anyway to do that with splunk ?

Ayn · ‎08-17-2011

Use the stats operator dc (an alias for distinct_count). Let's say you have the fields httpResponseCode and user. To get a count of how many users got an httpResponseCode of 404, regardless of how many times each user got it, you'd do:

httpResponseCode=404 | stats dc(user)

More information on the dc stats function, along with others, is available here: http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

View solution in original post

Ayn · ‎08-17-2011

Use the stats operator dc (an alias for distinct_count). Let's say you have the fields httpResponseCode and user. To get a count of how many users got an httpResponseCode of 404, regardless of how many times each user got it, you'd do:

httpResponseCode=404 | stats dc(user)

More information on the dc stats function, along with others, is available here: http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

Ayn · ‎08-17-2011

Yes, that should work fine.

ChrisJack · ‎08-17-2011

Our user is extracted from the request using a extract field.

Example : localhost_access_log : EXTRACT-myUser =
(?i)/users/(?P[^/]+)

Will I be able to go : httpResponseCode=404 | stats dc(myUser)

How to get the number of "unique" request with splunk

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms