Solved: Counting session IDs across multiple fields

benkeen · ‎11-05-2019

Hi all, brand new to splunk search syntax. I have a command like so:

... | stats count by userAgent, browserVersion, osName

That yields a table with those three columns about browsers (user agent, browser version & the OS) plus a fourth column, containing the total count of each row. Nice! However, I need a final row containing the count of unique session IDs for those rows. I know I can get access to the session IDs via session_id but I don't see how to sum them up (dc() command...?) for the unique combinations of userAgent-browserVersion-osName.

Any suggestions?

richgalloway · ‎11-05-2019

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

kartm2020 · ‎11-05-2019

Hope i understand the requirement. Please try the below query.

| stats count(session_id) by userAgent, browserVersion, osName

Please let me know if it doesn't meet your requirement

richgalloway · ‎11-05-2019

If what you want is "the count of unique session IDS" then try ... | stats count, dc(session_id) by userAgent, browserVersion, osName.
If you want "to sum them up" then you're likely out of luck since non-numeric values (which is what session IDs probably are) can't be summed.

---
If this reply helps you, Karma would be appreciated.

Counting session IDs across multiple fields

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes