Splunk Search

Compare fields in a table

ejread
Explorer

I have a table generated from two fields, sessionid and host -

... | stats count by sessionid host

I am trying to find only the sessionids that appear on more than one host. So basically, I need to compare each sessionid/host pair that appears in the logs with subsequent pairs for the same sessionid, but a different host.

Tags (1)
0 Karma

ldurrani
New Member

This will give you what you are looking for.

... | transaction pdsessionid maxspan=30s maxpause=5s | eval hcount = mvcount(host) | where hcount > 1

0 Karma

gkanapathy
Splunk Employee
Splunk Employee
 ... | stats count by sessionid host | eventcount dc(host) as hc by sessionid | where hc >= 2

or you could do:

... | values(host) as hosts by sessionid | where mvcount(hosts) >= 2

but that gives you a less flexible set of results.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...