Hi team,
I have below sample raw data in splunk:
Now I want splunk to return me the first two events in a httpSessionID, how the query should be?
Thanks,
Cherie
Hi @cheriemilk
Did you try what I suggested?
The streamstats will effectively add a count to each event within a session i.e the first event for session A will have a row of 1, the second will have a row of 2, and the first event for session B will have a row of 1 etc. Therefore, the only events with row less than 3 are the first two event for each session. You may need to do a reverse beforehand otherwise you may end up with the last two in each session
| reverse
| streamstats count as row by sessionId
| where row < 3
| streamstats count as row by sessionId
| where row < 3
Hi @ITWhisperer I want it return first 2 events in every httpSession, instead of filtering out the sessions where there're less than 3 events.
Thanks,
Cherie
Hi @cheriemilk
Did you try what I suggested?
The streamstats will effectively add a count to each event within a session i.e the first event for session A will have a row of 1, the second will have a row of 2, and the first event for session B will have a row of 1 etc. Therefore, the only events with row less than 3 are the first two event for each session. You may need to do a reverse beforehand otherwise you may end up with the last two in each session
| reverse
| streamstats count as row by sessionId
| where row < 3
You're right. I ever thought streamstats count as row by sessionID is to count the number of events in a session.
Thanks,
Cherie