Solved: Counting session IDs across multiple fields

benkeen · ‎11-05-2019

Hi all, brand new to splunk search syntax. I have a command like so:

... | stats count by userAgent, browserVersion, osName

That yields a table with those three columns about browsers (user agent, browser version & the OS) plus a fourth column, containing the total count of each row. Nice! However, I need a final row containing the count of unique session IDs for those rows. I know I can get access to the session IDs via session_id but I don't see how to sum them up (dc() command...?) for the unique combinations of userAgent-browserVersion-osName.

Any suggestions?

richgalloway · ‎11-05-2019

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

kartm2020 · ‎11-05-2019

Hope i understand the requirement. Please try the below query.

| stats count(session_id) by userAgent, browserVersion, osName

Please let me know if it doesn't meet your requirement

richgalloway · ‎11-05-2019

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post