Hi,
I'm trying to get a table of all the Session_ID values when the count of Logon_IDs is more than 2, but since the stats count is based on the number of Logon_IDs, the Session_ID field is no longer available for me to table
.
For example:
Data=
Logon_IDs Session_ID
Jones sess_1
Smith sess_2
Brown sess_3
Smith sess_4
My first attempt was stats count BY Logon_IDs" | where count > 1 | table Session_ID
, but this removes the Session_ID field.
What SPL should I be using to get the result:
Session_ID
sess_2
sess_4
Many thanks,
Mark.
Try this
.... | stats values(loginid) as lid count by sessionid | where mvcount(lid)>1