I have the following result from a simple search:
I, [2015-07-23T15:30:39+02:00 (1437658239.654) #38640] INFO -- ccceedb1a97f382d192a93fab686319b
[...]
"GET /?sid=ccceedb1a97f382d192a93fab686319b
[...]
https://[...]?sid=756a0279d436826f3ad51ba00f49d65d" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 (PSBrowserEmbedded) Safari/537.36" [...]
(part of the search result hidden due to confidentiality requirements)
However, it is not a normal behavior of the system for 'sid' to have two different values in one result. So I'm trying to find all results for a certain time frame where there are multiple values (i.e. more than one unique value) of 'sid' in one result. I'm guessing it should be something similar to this:
http://answers.splunk.com/answers/105397/count-unique-values-from-a-text-result.html
But in one result.
How can I do this?
... View more