https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360109#M65658 <P>I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.</P> <P>host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.</P> <P>But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results</P> <PRE><CODE>9/27/17 </CODE></PRE> <P>7:30:04.734 AM<BR /><BR /> 2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662<BR /> date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---<EM>:</EM><STRONG>....._-</STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default</P> <P>9/27/17<BR /> 12:50:47.694 AM <BR /> 2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195<BR /> date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---<EM>:</EM><STRONG>....._-</STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default</P> Tue, 29 Sep 2020 15:58:01 GMT shakeel253 2020-09-29T15:58:01Z https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360109#M65658 <P>I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.</P> <P>host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.</P> <P>But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results</P> <PRE><CODE>9/27/17 </CODE></PRE> <P>7:30:04.734 AM<BR /><BR /> 2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662<BR /> date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---<EM>:</EM><STRONG>....._-</STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default</P> <P>9/27/17<BR /> 12:50:47.694 AM <BR /> 2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195<BR /> date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---<EM>:</EM><STRONG>....._-</STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default</P> Tue, 29 Sep 2020 15:58:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360109#M65658 shakeel253 2020-09-29T15:58:01Z https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360110#M65659 <P>The query ran twice successfully in the time range. </P> <P>In order to dedup them, you will need to identify what part of the event identifies a unique extract. </P> <P>Try this...</P> <PRE><CODE>host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | rex "source = (?&lt;sourcelog&gt;.*.log)" | dedup sourcelog | stats count </CODE></PRE> Wed, 27 Sep 2017 19:12:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360110#M65659 DalJeanis 2017-09-27T19:12:50Z https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360111#M65660 <P>The above query didnt give me required results.<BR /> This is the query i am running, if you closely look the highlighted time stamp, the results are being replicated, what can i add to the query that it wont replicate date_mday</P> <P><STRONG>host=TABLEAU "(SEVIS,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository" | stats count</STRONG></P> <P><STRONG>10/13/17</STRONG><BR /> 5:03:05.749 AM<BR /><BR /> 2017-10-13 01:03:05.749 -0400 (ABCDE,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17936 size:12999 (twb) + 1709242 (guid={0E61DCE4-54DC-4855-B7D2-ADED09CD280F}) = 1722241<BR /> <STRONG>date_mday = 13 date_month</STRONG> = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---<EM>:</EM><STRONG>....._-</STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+<STRONG>(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default<BR /> <STRONG>10/13/17</STRONG><BR /> 12:39:41.996 AM <BR /> 2017-10-12 20:39:41.996 -0400 (ABCDE,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17935 size:13010 (twb) + 1709226 (guid={423E7580-4F13-44FC-8A20-B14A3056FD77}) = 1722236<BR /> <STRONG>date_mday = 12 date_month</STRONG> = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --<EM>::.</EM>-<EM>(,,,)</EM>---_:</STRONG><EM>.....</EM>-<STRONG><EM>:</EM>/<EM>:</EM>:<EM>()</EM>+</STRONG>(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-0.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default</P> Tue, 29 Sep 2020 16:10:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-my-search-that-checks-for-extract-yield-events-twice/m-p/360111#M65660 shakeel253 2020-09-29T16:10:15Z