- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count unique values of a field in one result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following result from a simple search:
I, [2015-07-23T15:30:39+02:00 (1437658239.654) #38640] INFO -- ccceedb1a97f382d192a93fab686319b
[...]
"GET /?sid=ccceedb1a97f382d192a93fab686319b
[...]
https://[...]?sid=756a0279d436826f3ad51ba00f49d65d" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 (PSBrowserEmbedded) Safari/537.36" [...]
(part of the search result hidden due to confidentiality requirements)
However, it is not a normal behavior of the system for 'sid' to have two different values in one result. So I'm trying to find all results for a certain time frame where there are multiple values (i.e. more than one unique value) of 'sid' in one result. I'm guessing it should be something similar to this:
http://answers.splunk.com/answers/105397/count-unique-values-from-a-text-result.html
But in one result.
How can I do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Splunk is already identifying the field 'sid' for you as multivalued field for events having multiple values of it, try this:-
your base search | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)
If the field sid is not extracted by Splunk automatically, try this
your base search | rex max_match=0 "sid=(?<sid>\w+)" | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valentin,
U can use |transaction command which will group with respect to session ID's..
your base search | rex "(?im)sid=(?\w+)" | transaction sid | stats count by sid
Hope it will help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Splunk is already identifying the field 'sid' for you as multivalued field for events having multiple values of it, try this:-
your base search | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)
If the field sid is not extracted by Splunk automatically, try this
your base search | rex max_match=0 "sid=(?<sid>\w+)" | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you somesoni2,
Your answer seems to have worked best for me and returns results as I needed. Apparently, 'sid' is not extracted automatically by Splunk, so I had to use the second suggestion.
Thanks to everyone for looking into this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats dc(field)
you can extract the field or use can user regualrexpression.
-Krishna Rajapantula
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks krishnarajapantula,
However, this doesn't seem to work for me. The search brings me no results (having the same time range as the initial search).
I was thinking it might be a bit more complex search, but am open to try any other suggestions.
BR
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
