Hi,
I wrote the following Splunk query which returns a list of distinct USER_AGENTs for each SESSION_ID:
index=abc | rex field=_raw "-S:(?\w+)-.+User agent: '(?.+)', Referrer" | stats count by SESSION_ID, USER_AGENT
I would now like to modify this query to return a list of SESSION_IDs that have more than one unique value for USER_AGENT, and the count of the unique values.
Thanks!
Jonathan
↧