Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get a usage count of all the user sessions that are NOT sticking to one host without providing "session id" in search box?

Pravinraju
New Member
‎03-19-2018 01:59 PM

index="inx_prod" host="pweb*" "session_id=4w344fbrz5th1pzfatvb0u3u" | table host, session_id | stats count by host, session_id

The above query provides result as below :

host | session_id | count

pweb01 | 4w344fbrz5th1pzfatvb0u3u | 10
pweb02 | 4w344fbrz5th1pzfatvb0u3u | 8
pweb01 | 98ashdsssswaeiluhawdhn56 | 4
pweb02 | 98ashdsssswaeiluhawdhn56 | 20

I want to get a session ids that is associated with the different servers, thereby not using the "session_id" in the search box !

Tags (1)
0 Karma
Reply

elliotproebstel
Champion
‎03-19-2018 02:24 PM

If you want to find session_id values that are seen in logs across multiple hosts, you can use the dc() function in stats to count the distinct number of host values seen per session_id like this:

index="inx_prod" host="pweb*"
| stats dc(host) AS host_count BY session_id
| where host_count>1

And if you want to preserve what those host values were, so you have the host names as well as the count:

index="inx_prod" host="pweb*"
| stats dc(host) AS host_count, values(host) AS host BY session_id
| where host_count>1
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...