https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128172#M184418 <P>Ok guy,</P> <P>Try this with the commande <STRONG>dedup</STRONG>:</P> <PRE><CODE> ...|stats dc(User_id) by ... | dedup USER_id sortby +_time </CODE></PRE> <P>Or this with commande <STRONG>uniq</STRONG>:</P> <PRE><CODE>index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count |uniq </CODE></PRE> Tue, 07 Apr 2015 10:02:20 GMT NOUMSSI 2015-04-07T10:02:20Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128167#M184413 <P>In the index for siteminder called cams_prod, there are traced filed with the type smtrace. Using these trace files find the logs for the application using 'Center realm’. Then created a regular expression to mine the User id. You will notice that Userids are able to be found many times each minute. We need to fiter this so it only shows once per minute. </P> Mon, 06 Apr 2015 13:54:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128167#M184413 moiezuddin 2015-04-06T13:54:46Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128168#M184414 <P>Could you post some sample data, your current search, and a mock-up of your desired output please?</P> Mon, 06 Apr 2015 14:36:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128168#M184414 masonmorales 2015-04-06T14:36:29Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128169#M184415 <P>Hi,<BR /> to show only one Userid per minute, in your query use this function <STRONG>dc</STRONG> by this way:</P> <P>...|stats dc(Userid) by ...</P> <P>Or</P> <P>...|timechart dc(Userid) by ...</P> Tue, 07 Apr 2015 01:48:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128169#M184415 NOUMSSI 2015-04-07T01:48:22Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128170#M184416 <P>index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count</P> <P>With the above query, I noticed that USER_id are able to be found many times each minute. </P> <P>I need to fiter this in such a way that it only needs to shows once per minute. </P> <P>Kindly help</P> Mon, 28 Sep 2020 19:25:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128170#M184416 moiezuddin 2020-09-28T19:25:58Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128171#M184417 <P>index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count</P> <P>With the above query, I noticed that USER_id are able to be found many times each minute.</P> <P>I need to fiter this in such a way that it only needs to shows once per minute.</P> <P>Kindly help</P> Mon, 28 Sep 2020 19:26:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128171#M184417 moiezuddin 2020-09-28T19:26:01Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128172#M184418 <P>Ok guy,</P> <P>Try this with the commande <STRONG>dedup</STRONG>:</P> <PRE><CODE> ...|stats dc(User_id) by ... | dedup USER_id sortby +_time </CODE></PRE> <P>Or this with commande <STRONG>uniq</STRONG>:</P> <PRE><CODE>index=casm_prod sourcetype=smtrace | bucket _time span=1m | stats count by _time, USER_id | sort - count |uniq </CODE></PRE> Tue, 07 Apr 2015 10:02:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128172#M184418 NOUMSSI 2015-04-07T10:02:20Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128173#M184419 <P>Thanks a lot , its working fine.</P> Tue, 07 Apr 2015 10:39:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128173#M184419 moiezuddin 2015-04-07T10:39:01Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128174#M184420 <P>No mention. I'm here to help you solve your problems</P> Tue, 07 Apr 2015 10:59:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128174#M184420 NOUMSSI 2015-04-07T10:59:27Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128175#M184421 <P>Hi Moiezuddin,</P> <P>Thanks For the question,<BR /> I new to splunk, Trying to develop some sample siteminder dashboards as a poc,<BR /> Hope you have some Idea on the smaccess log and smps log,</P> <P>Using Smps log, We are trying to develop some alerts for the performance monitoring of siteminder.<BR /> Can you please explain if you have done any in your environment.</P> <P>Was It possible to create a table like total number users have accessed a particular application in 24 hours time period using azaccept and uid in smaccess.log</P> <P>Thanks,</P> Tue, 01 Mar 2016 20:07:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-the-Userid-to-show-once-per-minute/m-p/128175#M184421 krishnacasso 2016-03-01T20:07:21Z