Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare fields in a table

ejread
Explorer
‎10-03-2012 01:31 PM

I have a table generated from two fields, sessionid and host -

... | stats count by sessionid host

I am trying to find only the sessionids that appear on more than one host. So basically, I need to compare each sessionid/host pair that appears in the logs with subsequent pairs for the same sessionid, but a different host.

Tags (1)
0 Karma
Reply

ldurrani
New Member
‎10-04-2012 01:06 PM

This will give you what you are looking for.

... | transaction pdsessionid maxspan=30s maxpause=5s | eval hcount = mvcount(host) | where hcount > 1

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2012 01:56 PM 
 ... | stats count by sessionid host | eventcount dc(host) as hc by sessionid | where hc >= 2

or you could do:

... | values(host) as hosts by sessionid | where mvcount(hosts) >= 2

but that gives you a less flexible set of results.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...