Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Counting session IDs across multiple fields

benkeen
Engager
‎11-05-2019 04:48 PM

Hi all, brand new to splunk search syntax. I have a command like so:

... | stats count by userAgent, browserVersion, osName

That yields a table with those three columns about browsers (user agent, browser version & the OS) plus a fourth column, containing the total count of each row. Nice! However, I need a final row containing the count of unique session IDs for those rows. I know I can get access to the session IDs via session_id but I don't see how to sum them up (dc() command...?) for the unique combinations of userAgent-browserVersion-osName.

Any suggestions?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2019 07:43 PM

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

kartm2020
Communicator
‎11-05-2019 09:52 PM

Hope i understand the requirement. Please try the below query.

| stats count(session_id) by userAgent, browserVersion, osName

Please let me know if it doesn't meet your requirement

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2019 07:43 PM

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...