https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480264#M134607 <P>Hi,<BR /> Thanks for the help. Dedup logic seems to be working.</P> Tue, 14 Jan 2020 16:58:34 GMT siddharth1479 2020-01-14T16:58:34Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480247#M134590 <P>Hi Community,<BR /> I'm using the search query to search for the user activity and I get the results with duplicate rows with the same user with the same time. The time format is as follows: YYYY-DD-MM HH:MM:SS:000. I get the result as following:</P> <P>USER | TIME<BR /> abcd | 2020-06-01 08:58:51<BR /> abcd | 2020-06-01 08:58:51<BR /> abcd | 2020-06-01 08:58:51</P> <P>abcd | 2020-06-01 09:32:27<BR /> abcd | 2020-06-01 09:32:27<BR /> abcd | 2020-06-01 09:32:27</P> <HR /> <P>The output I desire is:</P> <P>USER | TIME<BR /> abcd | 2020-06-01 08:58:51<BR /> abcd | 2020-06-01 09:32:27</P> <HR /> <P>Search query I'm using is:<BR /> index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | fields "USER" "TIME"</P> <HR /> <P>How do I get the unique values, because it seems that Splunk compares the time upto milliseconds. <BR /> Can anyone please help me out?</P> <P>Thanks,<BR /> Sid</P> Wed, 30 Sep 2020 03:36:09 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480247#M134590 siddharth1479 2020-09-30T03:36:09Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480248#M134591 <P><CODE>stats</CODE> is your friend <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/stats">here</A></P> <P>Try something like this:</P> <PRE><CODE>index="uam" User="abcd" | eval Timeime=strftime(_time, "%Y-%d-%m %H:%M:%S") | stats count by User Time | fields - count </CODE></PRE> Tue, 07 Jan 2020 19:47:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480248#M134591 wmyersas 2020-01-07T19:47:22Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480249#M134592 <P>Hey @wmyersas ,<BR /> Thanks for the help.</P> <P>As I said, Splunk compares the time difference by milliseconds and not by seconds, its still shows the same result which it showed before. </P> <P>Thanks,<BR /> Sid</P> Tue, 07 Jan 2020 21:12:01 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480249#M134592 siddharth1479 2020-01-07T21:12:01Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480250#M134593 <PRE><CODE>index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | stats values(User) as USER by access_time | rename access_time as TIME </CODE></PRE> <P>hi, try this.</P> Tue, 07 Jan 2020 21:42:33 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480250#M134593 to4kawa 2020-01-07T21:42:33Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480251#M134594 <P>Looks like a typo there:</P> <PRE><CODE> index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | rename access_time as TIME | stats count by USER TIME | fields - count </CODE></PRE> <P>Should sort it</P> Wed, 08 Jan 2020 16:10:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480251#M134594 sheamus69 2020-01-08T16:10:35Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480252#M134595 <P>If you've already formatted the time into a new format, then you don't need to worry about the milliseconds <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 09 Jan 2020 15:54:42 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480252#M134595 wmyersas 2020-01-09T15:54:42Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480253#M134596 <P>I was going off OP - but you're right, he was missing a rename in there <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 09 Jan 2020 15:55:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480253#M134596 wmyersas 2020-01-09T15:55:15Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480254#M134597 <P>Hi, sorry for late reply. I tried this but it isn't helping. I still get duplicate "Seconds".</P> Mon, 13 Jan 2020 15:43:20 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480254#M134597 siddharth1479 2020-01-13T15:43:20Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480255#M134598 <P>Hi, sorry for late reply. I tried this but it isn't helping. I still get duplicate "Seconds".</P> Mon, 13 Jan 2020 15:43:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480255#M134598 siddharth1479 2020-01-13T15:43:41Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480256#M134599 <P>index="uam" User="abcd" <BR /> | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") <BR /> | fields "USER" "TIME"<BR /> | dedup "USER","TIME"</P> Wed, 30 Sep 2020 03:39:01 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480256#M134599 heissenberg 2020-09-30T03:39:01Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480257#M134600 <P>Hello,</P> <P>Maybe you can try to dedup using a stringconcat on user and time fields? </P> <P>Something like:</P> <P>index="uam" User="abcd" <BR /> | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")<BR /> | rename access_time as TIME<BR /> | eval key=tostring(TIME)+tostring(User)<BR /> | dedup key<BR /> | table User, TIME</P> <P>Kind regards,<BR /> Willem Jongeneel</P> Wed, 30 Sep 2020 03:42:59 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480257#M134600 willemjongeneel 2020-09-30T03:42:59Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480258#M134601 <P>@siddharth1479 <BR /> <CODE>|stats values(User) as USER by access_time</CODE><BR /> This will be aggregated by the access_time string.<BR /> Are they really duplicates?<BR /> Please show me the results.</P> Mon, 13 Jan 2020 16:50:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480258#M134601 to4kawa 2020-01-13T16:50:12Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480259#M134602 <PRE><CODE>| makeresults |eval _raw="USER,TIME abcd ,2020-06-01 08:58:51 abcd ,2020-06-01 08:58:51 abcd ,2020-06-01 08:58:51 abcd ,2020-06-01 09:32:27 abcd ,2020-06-01 09:32:27 abcd ,2020-06-01 09:32:27" | multikv forceheader=1 | rename COMMENT as "your result" | table USER,TIME | stats values(USER) as USER by TIME | table USER,TIME </CODE></PRE> <P>This is OK.</P> Mon, 13 Jan 2020 16:58:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480259#M134602 to4kawa 2020-01-13T16:58:12Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480260#M134603 <P>@siddharth1479 Try this </P> <PRE><CODE>index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | rename access_time as TIME|fields "USER" "TIME"| dedup USER TIME </CODE></PRE> Mon, 13 Jan 2020 17:18:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480260#M134603 Vijeta 2020-01-13T17:18:43Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480261#M134604 <P>Then change your time format to something less granular <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 13 Jan 2020 22:13:25 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480261#M134604 wmyersas 2020-01-13T22:13:25Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480262#M134605 <P>Hi,<BR /> Thanks for the help. Seems to be working with this logic and also made some changes to the logs itself to uniquely identify each entry only once.</P> Tue, 14 Jan 2020 16:55:42 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480262#M134605 siddharth1479 2020-01-14T16:55:42Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480263#M134606 <P>Hi,<BR /> I think you need to rename the access_time as TIME, and yes dedup logic seems to be working.</P> <P>Thanks for the help.</P> Tue, 14 Jan 2020 16:57:26 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480263#M134606 siddharth1479 2020-01-14T16:57:26Z https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480264#M134607 <P>Hi,<BR /> Thanks for the help. Dedup logic seems to be working.</P> Tue, 14 Jan 2020 16:58:34 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-Unique-values-based-on-time/m-p/480264#M134607 siddharth1479 2020-01-14T16:58:34Z