Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem of duplicate values

taha13
Explorer
‎04-11-2018 02:01 AM

Hello ,

I have a question (or a problem) about my code:

|loadjob savedsearch="a468413:ied:req_test2"
|eval time = strftime(_time,"%m/%d/%Y %I:%M %p")
|eval D1=if(MESSAGE="Connexion genesys OK + agent joint",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
|eval D2=if(MESSAGE="Proposition du questionnaire de satisfaction client",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
|eval diff=D2-D1
|where chatId="0007SaDCMCP301EX" AND (match(MESSAGE,"(\s|^)Replique(\s|$)") OR match(MESSAGE,"(\s|^)replique(\s|$)") OR MESSAGE="Proposition du questionnaire de satisfaction client" OR MESSAGE="Connexion genesys OK + agent joint") AND MESSAGE!="Le chat va etre cloture car le timeout de non replique client et conseiller a ete atteint"
|table _time,chatId,D1,D2
|sort _time asc

The reslt that i want,is to have a table with one line with colums (chatId,D1,D2 AND diff),so here i have two problems,i have three D1(i want to take just the fist one),the second problem is that i have a lot of lines of one chatID

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2018 08:31 AM

Try the following run anywhere search:

| makeresults
| eval chatId="004khjkdhsd76786",D1="1520048834.000"
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786"]
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786"]
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786",D2="1400050002.000"]
| sort - _time asc
| fillnull value=0 D1,D2
| dedup chatId D1 D2
| search NOT(D1=0 AND D2=0)
| table _time chatId D1 D2
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2018 08:31 AM

Try the following run anywhere search:

| makeresults
| eval chatId="004khjkdhsd76786",D1="1520048834.000"
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786"]
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786"]
| append 
    [| makeresults
| eval chatId="004khjkdhsd76786",D2="1400050002.000"]
| sort - _time asc
| fillnull value=0 D1,D2
| dedup chatId D1 D2
| search NOT(D1=0 AND D2=0)
| table _time chatId D1 D2
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

taha13
Explorer
‎04-13-2018 01:37 AM

can I write the formula instead of the values?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-13-2018 09:26 AM

@taha13, what do you mean by formula? In the above run anywhere example you need to replace commands from |makeresults to |eval chartId with your current search.

  |loadjob savedsearch="a468413:ied:req_test2"
  |eval time = strftime(_time,"%m/%d/%Y %I:%M %p")
  |eval D1=if(MESSAGE="Connexion genesys OK + agent joint",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
  |eval D2=if(MESSAGE="Proposition du questionnaire de satisfaction client",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
  |eval diff=D2-D1
  |where chatId="0007SaDCMCP301EX" AND (match(MESSAGE,"(\s|^)Replique(\s|$)") OR match(MESSAGE,"(\s|^)replique(\s|$)") OR MESSAGE="Proposition du questionnaire de satisfaction client" OR MESSAGE="Connexion genesys OK + agent joint") AND MESSAGE!="Le chat va etre cloture car le timeout de non replique client et conseiller a ete atteint"
 | sort - _time asc
 | fillnull value=0 D1,D2
 | dedup chatId D1 D2
 | search NOT(D1=0 AND D2=0)
 | table _time chatId D1 D2
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

taha13
Explorer
‎04-16-2018 12:51 AM

It's work,thank you 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-16-2018 01:28 AM

Glad it worked, do up-vote the comment/s that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2018 06:48 AM

@taha13, can you try the following and confirm:

 |loadjob savedsearch="a468413:ied:req_test2"
 |eval time = strftime(_time,"%m/%d/%Y %I:%M %p")
 |eval D1=if(MESSAGE="Connexion genesys OK + agent joint",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
 |eval D2=if(MESSAGE="Proposition du questionnaire de satisfaction client",strptime(time, "%m/%d/%Y %I:%M %p") ,NULL)
 |eval diff=D2-D1
 |where chatId="0007SaDCMCP301EX" AND (match(MESSAGE,"(\s|^)Replique(\s|$)") OR match(MESSAGE,"(\s|^)replique(\s|$)") OR MESSAGE="Proposition du questionnaire de satisfaction client" OR MESSAGE="Connexion genesys OK + agent joint") AND MESSAGE!="Le chat va etre cloture car le timeout de non replique client et conseiller a ete atteint"
| sort _time asc
| dedup chatId D1 D2
| search D1=* OR D2=*
| table _time chatId D1 D2
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

taha13
Explorer
‎04-11-2018 08:04 AM

No result found

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...