How to get the number of “unique” request with splunk
https://stackoverflow.com/questions/7094389
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are currently looking for a way to find the number of "unique" request for a given event type with splunk. Like the number of user that hit a 404, but i don't care if a user hit it twice or 10 times, I just want the number of user that had that error. Is there anyway to do that with splunk ?
Solution
Sure.
Assuming your source type is called "access_combined" and you have a status and user field defined (either by Splunk automatically, or explicitly by you via Field Extraction) your search might look like this:
sourcetype="access_combined" status="404" | dedup user | table user
OR you could try this one as well, which uses the distinct count operation:
sourcetype="access_combined" status="404" | stats dc(status) by user
