Splunk Search

Displaying unique URIs visited per session as columns

jbrenner
Path Finder

I have a splunk search that returns two columns, SESSION and URI. How can I show the sequence of URIs visited by each SESSION as columns, with a separate row for each SESSION?

Thanks! 

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

What is your search? What results do you get? What would you like them to look like?

0 Karma

jbrenner
Path Finder

Exactly what I needed. Thanks!

0 Karma

jbrenner
Path Finder

My search returns something like this:

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage2.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html
42b772ff-b142-471c-a780-080261b084a0Page1.html
42b772ff-b142-471c-a780-080261b084a0Page4.html
42b772ff-b142-471c-a780-080261b084a0Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page1.html

 

And I'd like to transform the results into this (preserving the sort sequence):

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html, Page2.html, Page3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html, Page1.html, Page4.html, Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html, Page1.html

 

We can either concatenate the URIs into the same field (as in this example), or we can create a separate column for each URI, whichever is easier.

Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...