Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join two stats searches and run stats/group on the result

gregorymountfor
Explorer
‎10-02-2018 04:13 AM

I'd like to join two searches and run some stats to group the combined result to see how many users change/update browsers how often.

In my IIS logs I have one search that gives me a user agent string ( cs_User_Agent) and a SessionId; then another that has the SessionId and the UserId

search 1 retrieves a table of cs_User_Agent and SessionId:
host=HOST1 index=iis sc_status=200 getLicense | sistats dc(SessionId) count by cs_User_Agent

SessionId           cs_User_Agent                                                                                                                         count
0014D886099319E6    Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/64.0.3282.140+Safari/537.36+Edge/17.17134        12
0014D953D99FD234    Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36                        5
0014D953D99FD234    Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36                             5
00154D82F471A7AA    Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36                       2
0015B3CAC0EC3940    Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/68.0.3440.106+Safari/537.36                      30
0015C53D737B2991    Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/68.0.3440.106+Safari/537.36+OPR/55.0.2994.61     16

search 2 retrieves a table of SessionId and UserId:
host=HOST1 index=iis sc_status=200 authorize | stats count by SessionId, UserId

SessionId           UserId                      count
00061D40BFAB4208    4BJKKEAWGYXEAJH0F5F9DHSC0024    2
0008F091D8E8BE1A    1I7WKS9XIMZ92DCZF6CVKA4E001Q    2
000E5B538CC0A7B2    KQCZIHHPG9IOC9UD7MJICESS005B    1
000FC56381D4EA4B    3PH0F08V00SY9GFPGVCQBIQN006N    3
00106C907ED66683    JALM1LNJ8SV72BNHE1C5H0I50020    3
0013143CBC157C26    ETW9HL7L71PQJB7P492LLFEM006E    4
001E25B42A554F79    702EBB0O8MKG0VI94VIQ01ZE0031    1

I need to join these together to see how many different cs_User_Agent strings the users had during the period and count those.
Basically to see how many of the users change/update browsers very often.

So, my result should look like this:

Number of UA Strings in the period     |   Number of Users in grouping
>20                                        1
>10                                        3
>5                                         4
5                                         10
4                                          3
3                                          3
2                                          1
1                                         14

The results for search 1 & 2 would return A LOT of data, and from reading the subsearch info it sounds like that's not ideal as the whole subsearch would have to stay in RAM? Is there a better way than subsearch to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...