I am new and learning Splunk.
I created a search where multiple time stamps are revealed in a column. I'd just like that time stamp to show up once in my search results.
I tried using Dedup, but it takes all of the date time stamps away.
The search listed below works the way I want it to with that exception.
index=xyz sourcetype="xyz:xyz:xyz" | table_time | eval Date =strftime(_time, "%Y%m%d") | table Date | rename Date as "Date that something happened" | dedup Date
Thanks!
You all are awesome. Starting to get the results that I need. Wanted to report back, but I could only post 2 times per day.
Like this:
index=xyz sourcetype="xyz:xyz:xyz" | bucket span=1d _time | dedup _time | rename _time AS "Date that something happened"
Hey, to list out unique values, you should look into stats command as well
Base search to filter out the correct events | table_time | eval Date =strftime(_time, "%Y%m%d") | stats list(Date)
Here's an example:
index=* Value>60 | eval Date = strftime(_time, "%Y%m%d") | stats values(Date) as Date | mvexpand Date
Try this
index=xyz sourcetype="xyz:xyz:xyz" | timechart span=1d count | eval "Date that something happened"=strftime(_time, "%Y%m%d") | table "Date that something happened"
Thank you very much. Is there a way to do that myself? I searched and didn't find a way.
Thanks
you could do something like this
index=xyz sourcetype="xyz:xyz:xyz" | eval Date =strftime(_time, "%Y%m%d") | dedup Date | table Date | rename Date as "Date that something happened"
OR
index=xyz sourcetype="xyz:xyz:xyz" | eval Date =strftime(_time, "%Y%m%d") | stats count by Date | rename Date as "Date that something happened"
repeting table two times is more slow and not mandatory.
Bye.
Giuseppe
I have edit your title as per the comment above
Title should have read "........Dedup all redundant data in a column...having an issue"
Title should have read "........Dedup all redundant data in a column...having an issue"