Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Displaying unique URIs visited per session as columns

jbrenner
Path Finder
‎10-22-2024 07:25 AM

I have a splunk search that returns two columns, SESSION and URI. How can I show the sequence of URIs visited by each SESSION as columns, with a separate row for each SESSION?

Thanks! 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 08:02 AM

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 07:31 AM

What is your search? What results do you get? What would you like them to look like?

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-22-2024 08:05 AM

Exactly what I needed. Thanks!

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-22-2024 07:59 AM

My search returns something like this:

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage2.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html
42b772ff-b142-471c-a780-080261b084a0Page1.html
42b772ff-b142-471c-a780-080261b084a0Page4.html
42b772ff-b142-471c-a780-080261b084a0Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page1.html

 

And I'd like to transform the results into this (preserving the sort sequence):

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html, Page2.html, Page3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html, Page1.html, Page4.html, Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html, Page1.html

 

We can either concatenate the URIs into the same field (as in this example), or we can create a separate column for each URI, whichever is easier.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 08:02 AM

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...