Here is a simple question. The following is my search:
index="atg" sessionId="*mob" host="*" | stats values(host) as hosts,values(source) as sources by sessionId
Now I want to list out the sessionId values which contain more than one host or one source. How can I filter the results?
Add a dc(host)
to the search, then filter off that key.
index="atg" sessionId="*mob" host="*"
| stats values(host) as hosts, dc(host) as hostcount, values(source) as sources by sessionId
| where hostcount > 1
how do we write this query in case on SPlunk Enterprise Security