How to get the number of "unique" request with splunk
We are currently looking for a way to find the number of "unique" request for a given event type with splunk. Like the number of user that hit a 404, but i don't care if a us开发者_JAVA技巧er hit it twice or 10 times, I just want the number of user that had that error. Is there anyway to do that with splunk ?
Sure.
Assuming your source type is called "access_combined" and you have a status and user field defined (either by Splunk automatically, or explicitly by you via Field Extraction) your search might look like this:
sourcetype="access_combined" status="404" | dedup user | table user
OR you could try this one as well, which uses the distinct count operation:
sourcetype="access_combined" status="404" | stats dc(status) by user
精彩评论