- Find Answers
- :
- Splunk Platform
- :
- Splunk AppDynamics
- :
- Returning the count of unique browser applications...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to create a metric that returns the amount of browser applications being monitored on the controller.
I have tried to do this using a distinct count of the app key, although my query is returning 1 instead of the amount of browser apps.
Here are the queries I have tried:
SELECT distinctcount(appkey) FROM browser_records
SELECT distinctcount(appkey) FROM web_session_records
If anyone knows of a way or can point me in the right direction, I would greatly appreciate it.
Thanks,
Jesse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesse
As you noticed when you use the following query as a metric
SELECT distinctcount(appkey) FROM browser_records
It will give you a count of the number of apps that have received data in the last 5 minutes only, if there is no data in the last 5 minutes for any of the applications, it will not show and count those.
If any of the apps don't have any data it wont give you anything
What you can do to bypass this is to add a condition e.g where I put a condition that it counts all data that's less than the year 2040, or you can build a condition to just check what data timestamps is less than now()
SELECT distinctcount(appkey) FROM browser_records WHERE eventTimestamp < 2232636067000
This forces the query to check all data in the analytics cluster, not just the last 5 minutes
However, depending on how long you store your analytical data, e.g if you only store data for 2 weeks, and one of the applications does not have any reported data in analytics, that app will not be counted as there is no data for it.
Hope I am making sense
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesse
As you noticed when you use the following query as a metric
SELECT distinctcount(appkey) FROM browser_records
It will give you a count of the number of apps that have received data in the last 5 minutes only, if there is no data in the last 5 minutes for any of the applications, it will not show and count those.
If any of the apps don't have any data it wont give you anything
What you can do to bypass this is to add a condition e.g where I put a condition that it counts all data that's less than the year 2040, or you can build a condition to just check what data timestamps is less than now()
SELECT distinctcount(appkey) FROM browser_records WHERE eventTimestamp < 2232636067000
This forces the query to check all data in the analytics cluster, not just the last 5 minutes
However, depending on how long you store your analytical data, e.g if you only store data for 2 weeks, and one of the applications does not have any reported data in analytics, that app will not be counted as there is no data for it.
Hope I am making sense
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mario
You are making sense and have been very helpful. I like the method you've shown of using the timestamp condtion to check all the data.
Thanks for the help,
Jesse
Developer Spotlight with Brett Adams
Index This | What can you do to make 55,555 equal 500?
Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...
