https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493886#M137706 <P>If <CODE>Each event is determined by the linebreak</CODE> then your situation is hopeless; surely that is not true! Are you sure it isn't that <CODE>Each event is determined by timestamp</CODE>?</P> Wed, 27 Nov 2019 00:29:41 GMT woodcock 2019-11-27T00:29:41Z https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493885#M137705 <P>Hello everyone.</P> <P>I have a code below where each event is determined by the line break. I am wanting to take the value from the "InteractionId" parameter and check that there are no duplicates.<BR /> '<BR /> I believe it could be a regex that only filters by '<STRONG>InteractionId' [str] = "value"</STRONG><BR /> But I'm not sure.</P> <PRE><CODE>2019-11-23T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = "Resources" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = "00052aEWU1VF525" 'TenantId' [int] = 101 'MediaType' [str] = "email" 'InteractionType' [str] = "Inbound" 'InteractionSubtype' [str] = "InboundNew" 2019-11-24T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = "Resources" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = "00052aEWU1VFB525" 'TenantId' [int] = 101 'MediaType' [str] = "email" 'InteractionType' [str] = "Inbound" 'InteractionSubtype' [str] = "InboundNew" 2019-11-25T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = "Resources" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = "00052aEWU1VFB34B" 'TenantId' [int] = 101 'MediaType' [str] = "email" 'InteractionType' [str] = "Inbound" 'InteractionSubtype' [str] = "InboundNew" </CODE></PRE> Wed, 27 Nov 2019 00:03:43 GMT https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493885#M137705 leandromatperei 2019-11-27T00:03:43Z https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493886#M137706 <P>If <CODE>Each event is determined by the linebreak</CODE> then your situation is hopeless; surely that is not true! Are you sure it isn't that <CODE>Each event is determined by timestamp</CODE>?</P> Wed, 27 Nov 2019 00:29:41 GMT https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493886#M137706 woodcock 2019-11-27T00:29:41Z https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493887#M137707 <P>That's right, it's by timestamp.</P> <P>The timestamp is breaking the event normally, my question is how much interactions within the 'Interaction' parameter [str] =</P> Wed, 27 Nov 2019 00:42:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493887#M137707 leandromatperei 2019-11-27T00:42:33Z https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493888#M137708 <P>Like this:</P> <PRE><CODE>| makeresults | eval raw="2019-11-23T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = \"Resources\" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = \"00052aEWU1VF525\" 'TenantId' [int] = 101 'MediaType' [str] = \"email\" 'InteractionType' [str] = \"Inbound\" 'InteractionSubtype' [str] = \"InboundNew\" :::2019-11-24T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = \"Resources\" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = \"00052aEWU1VFB525\" 'TenantId' [int] = 101 'MediaType' [str] = \"email\" 'InteractionType' [str] = \"Inbound\" 'InteractionSubtype' [str] = \"InboundNew\" :::2019-11-25T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message: AttributeCustomerID [str] = \"Resources\" AttributeConnID [long] = 093902ed259a99fc AttributeMediaType [int] = -1 AttributeCallID [int] = 543269 AttributeCallType [int] = 0 'InteractionId' [str] = \"00052aEWU1VFB34B\" 'TenantId' [int] = 101 'MediaType' [str] = \"email\" 'InteractionType' [str] = \"Inbound\" 'InteractionSubtype' [str] = \"InboundNew\"" | makemv delim=":::" raw | mvexpand raw | rename raw AS _raw | rename COMMENT AS "Everthing above generates sample event data; everything below is your solution" | rex max_match=0 "\s+\'?(?&lt;key&gt;\S+)\'?\s\[\S+\]\s=\s\"?(?&lt;value&gt;[^\"\s]+)" | eval _raw = mvzip(key, value, "=") | kv | eventstats count BY InteractionId | where count &gt; 1 </CODE></PRE> Wed, 27 Nov 2019 04:41:13 GMT https://community.splunk.com/t5/Splunk-Search/Regex-by-ID-removing-duplicates/m-p/493888#M137708 woodcock 2019-11-27T04:41:13Z