Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Displaying unique URIs visited per session as columns

jbrenner
Path Finder
‎10-22-2024 07:25 AM

I have a splunk search that returns two columns, SESSION and URI. How can I show the sequence of URIs visited by each SESSION as columns, with a separate row for each SESSION?

Thanks! 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 08:02 AM

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 07:31 AM

What is your search? What results do you get? What would you like them to look like?

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-22-2024 08:05 AM

Exactly what I needed. Thanks!

0 Karma
Reply
Solved! Jump to solution

jbrenner
Path Finder
‎10-22-2024 07:59 AM

My search returns something like this:

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage2.html
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html
42b772ff-b142-471c-a780-080261b084a0Page1.html
42b772ff-b142-471c-a780-080261b084a0Page4.html
42b772ff-b142-471c-a780-080261b084a0Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page1.html

 

And I'd like to transform the results into this (preserving the sort sequence):

SESSIONURI
b4db1013-e31d-4df5-94ed-3b5b2fc0dc1fPage1.html, Page2.html, Page3.html
42b772ff-b142-471c-a780-080261b084a0Page2.html, Page1.html, Page4.html, Page5.html
5136941f-a2e7-4c39-83bd-bd5d2709fb18Page3.html, Page1.html

 

We can either concatenate the URIs into the same field (as in this example), or we can create a separate column for each URI, whichever is easier.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2024 08:02 AM

Try something like this

| stats list(URI) as URI by SESSION
| eval URI=mvjoin(URI,",")
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...