Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare fields in a table

ejread
Explorer
‎10-03-2012 01:31 PM

I have a table generated from two fields, sessionid and host -

... | stats count by sessionid host

I am trying to find only the sessionids that appear on more than one host. So basically, I need to compare each sessionid/host pair that appears in the logs with subsequent pairs for the same sessionid, but a different host.

Tags (1)
0 Karma
Reply

ldurrani
New Member
‎10-04-2012 01:06 PM

This will give you what you are looking for.

... | transaction pdsessionid maxspan=30s maxpause=5s | eval hcount = mvcount(host) | where hcount > 1

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2012 01:56 PM 
 ... | stats count by sessionid host | eventcount dc(host) as hc by sessionid | where hc >= 2

or you could do:

... | values(host) as hosts by sessionid | where mvcount(hosts) >= 2

but that gives you a less flexible set of results.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...