topic Using dedup in multi-month query in Splunk Search https://community.splunk.com/t5/Splunk-Search/Using-dedup-in-multi-month-query/m-p/476270#M133764 <P>I'm trying to create a timechart showing the count of events over 6 months. The query is </P> <PRE><CODE>index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | dedup f_1 f_2 | timechart count by id span=1mon </CODE></PRE> <P>The goal is to <CODE>dedup</CODE> within that month only, not across all 6 months. For example, if the same values of <CODE>f_1,f_2</CODE> appear in all 6 months, I should get 1 count of <CODE>f_1,f_2</CODE> in each of the 6 months, not only in the last month. However, it seems like the <CODE>f_1,f_2</CODE> values will be <CODE>dedup</CODE> across all 6 months, and appear only in the last month.</P> <P>Can I bin events by the months they appear in, then dedup within that month only to achieve this? Or is there another way?</P> Wed, 19 Feb 2020 08:04:14 GMT wu_weidong 2020-02-19T08:04:14Z Using dedup in multi-month query https://community.splunk.com/t5/Splunk-Search/Using-dedup-in-multi-month-query/m-p/476270#M133764 <P>I'm trying to create a timechart showing the count of events over 6 months. The query is </P> <PRE><CODE>index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | dedup f_1 f_2 | timechart count by id span=1mon </CODE></PRE> <P>The goal is to <CODE>dedup</CODE> within that month only, not across all 6 months. For example, if the same values of <CODE>f_1,f_2</CODE> appear in all 6 months, I should get 1 count of <CODE>f_1,f_2</CODE> in each of the 6 months, not only in the last month. However, it seems like the <CODE>f_1,f_2</CODE> values will be <CODE>dedup</CODE> across all 6 months, and appear only in the last month.</P> <P>Can I bin events by the months they appear in, then dedup within that month only to achieve this? Or is there another way?</P> Wed, 19 Feb 2020 08:04:14 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-in-multi-month-query/m-p/476270#M133764 wu_weidong 2020-02-19T08:04:14Z Re: Using dedup in multi-month query https://community.splunk.com/t5/Splunk-Search/Using-dedup-in-multi-month-query/m-p/476271#M133765 <PRE><CODE>index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | eval f_1_tmp=f_1.":".strftime(_time,"%Y%m"),f_2_tmp=f_2.":".strftime(_time,"%Y%m") | dedup f_1_tmp f_2_tmp | timechart count by id span=1mon </CODE></PRE> Sat, 29 Feb 2020 00:44:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-in-multi-month-query/m-p/476271#M133765 to4kawa 2020-02-29T00:44:05Z