How to search the total distinct count on two diff...

jameskerivan · ‎09-08-2015

Hi,

This is kind of a silly question, but currently my application is logging the session id as two separate fields, Session_id and sessionId. Now sometimes either of the session ids can be NA. I want to find the total unique session id's for my search based on those 2 fields. An example would be like

session_id = 2 sessionId = 2
session_id = NA sessionId = 3
session_id=1 sessionId = NA

So my count would be 4 with counts for {2, NA, 3, 1}

Thanks so much!

chanmi2 · ‎09-08-2015

Try this:

your search | eval combine_session = session_id.",".sessionID | makemv delim = "," combine_session | stats dc(combine_session), values(combine_session)

justinatpnnl · ‎09-08-2015

Normally you would use the COALESCE function for this, but if the session_id literally has the string "NA" then that poses a problem.

I would probably attack it like this:

<your search here>
| eval new_session_id  = case(isnum(session_id), session_id, isnum(sessionID), sessionID, 1==1, "NA")
| stats dc(new_session_id)

How to search the total distinct count on two different fields?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials