Solved: Grouping by two fields, want to get distinct count...

jbrenner · ‎10-05-2017

Hi,

I wrote the following Splunk query which returns a list of distinct USER_AGENTs for each SESSION_ID:

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats count by SESSION_ID, USER_AGENT

I would now like to modify this query to return a list of SESSION_IDs that have more than one unique value for USER_AGENT, and the count of the unique values.

Thanks!
Jonathan

somesoni2 · ‎10-05-2017

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

View solution in original post

somesoni2 · ‎10-05-2017

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

jbrenner · ‎10-05-2017

That worked.
Thanks!

Grouping by two fields, want to get distinct count of values in second field

Now Playing: Splunk Education Summer Learning Premieres

The Visibility Gap: Hybrid Networks and IT Services

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Are you a member of the Splunk Community?

Grouping by two fields, want to get distinct count of values in second field

Now Playing: Splunk Education Summer Learning Premieres

The Visibility Gap: Hybrid Networks and IT Services

Get Operational Insights Quickly with Natural Language on the Splunk Platform