Solved: Grouping by two fields, want to get distinct count...

jbrenner · ‎10-05-2017

Hi,

I wrote the following Splunk query which returns a list of distinct USER_AGENTs for each SESSION_ID:

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats count by SESSION_ID, USER_AGENT

I would now like to modify this query to return a list of SESSION_IDs that have more than one unique value for USER_AGENT, and the count of the unique values.

Thanks!
Jonathan

somesoni2 · ‎10-05-2017

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

View solution in original post

somesoni2 · ‎10-05-2017

Try this

index=abc | rex field=_raw "-S:(?<SESSION_ID>\w+)-.+User agent: '(?<USER_AGENT>.+)', Referrer" | stats dc(USER_AGENT) as USER_AGENTs by SESSION_ID | where USER_AGENTs>1

jbrenner · ‎10-05-2017

That worked.
Thanks!

Grouping by two fields, want to get distinct count of values in second field

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Grouping by two fields, want to get distinct count of values in second field

Developer Spotlight with William Searle

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!