Splunk Search
Highlighted

How to search stats count of 60,000 Session_ID's by Status without typing each Session_ID value?

Engager

Good Afternoon,

I have a simple search. Normally this would be:

sourcetype=jsi SessionID=000002b89784b98e91bd OR SessionID=1c1b68e349f3b98f3570 OR Sesssion_ID=1c1b68e349f3b98f4d3f | stats count by Status

However, in this case I have 60K Session_ID's that I need to input into a single search query.

I have looked at inputcsv, lookup, inputlookup and outputlookup, and to be honest I just dont get it.

Some guidance on how best to proceed please?

Tags (4)
0 Karma
Highlighted

Re: How to search stats count of 60,000 Session_ID's by Status without typing each Session_ID value?

Community Manager
Community Manager

Hi @rberkheimer

Do you have exactly 60,000 Session_ID's in your data, or are there more than that and you're only looking for data on those 60,000?

0 Karma
Highlighted

Re: How to search stats count of 60,000 Session_ID's by Status without typing each Session_ID value?

Engager

Hi!

It is actually 58190 Session_IDs.

In my sourcetype=jsi, there are many details on each Session_ID, one of those being Status=Success or Status="some error code".

This log file for one day has 117K Session_IDs in them, and I only want to know the "| stats count by Status" for these 58190.

0 Karma
Highlighted

Re: How to search stats count of 60,000 Session_ID's by Status without typing each Session_ID value?

Legend

Your best option (that comes to mind for me at least) would probably to use this CSV as a lookup. Past 8000 search terms or so you're not getting a performance boost out of adding more terms anyway (and there's even a hard limit of 10500 results that you can emit from a subsearch), so you might as well run a query against all data and then filter it using your lookup.

Your lookup would be something like:

Session_ID,exists
000002b89784b98e91bd,1
1c1b68e349f3b98f3570,1
1c1b68e349f3b98f4d3f,1

And then your search would look something like this:

sourcetype=j_s_i | lookup session_ids Session_ID OUTPUT exists | search exists=1 | stats count by Status

View solution in original post