Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to count events by values from related events?

maclun
New Member
‎02-08-2016 11:56 PM

Hi,

There is a web app that has an 'init' event on load. It carried current 'version' and 'sessionId'.
All other events have 'sessionId' attribute. E.g:
init:
{version: '1.2.3', sessionId: 'asdd-asdd-wqed-wqed'}
any event:
{sessionId: 'asdd-asdd-wqed-wqed', userId: 4123}

I would like to know how many users are on which version.
It could be that there are many init events per user - when they reload the page. Could also be that those init events have different versions if the web app has been updated in the meantime.

I would appreciate if you could tell me how to achieve this, or at least point me to some direction (functions, examples).

Cheers!

0 Karma
Reply

somesoni2
Revered Legend
‎02-09-2016 11:37 AM

Try something like this

your base search | table version sessionId userId | eventstats values(version) as version by sessionId | stats dc(userId) as count by version
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...