I use the code below, and it works..
sourcetype="splunk_page_request" | transaction session_id maxspan=3s
and I want to use the code below
sourcetype="splunk_page_request" | transaction request_uri AND session_id maxspan=3s
it works?
please explain how to work the upper code..
actually, I want the result below
if below
request_uri=1 session_id=a time=2013/07/10 12:00:00
request_uri=2 session_id=a time=2013/07/10 12:00:02
count is 2
if below
request_uri=1 session_id=a time=2013/07/10 12:00:00
request_uri=1 session_id=a time=2013/07/10 12:00:02
count is 1
someone please help me..
sourcetype="splunk_page_request" | transaction request_uri session_id maxspan=3s
Thank you so much!!
sourcetype="splunk_page_request" | transaction request_uri session_id maxspan=3s