Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show only duplicated fields

kmattern
Builder
‎02-18-2014 07:59 AM

I have customers who upload sets of files every day. The upload is done automatically. Sometimes there will be a hitch in the system and one or more of the file set will be uploaded multiple times. The file names all have the term _seq_ followed by a sequence number. So part of the customer events will look like this:

abcdef_seq_1
abcdef_seq_2
abcdef_seq_2
abcdef_seq_3
abcdef_seq_4

I only want to show only the duplicated upload files, in this case abcdef_seq_2. It shouldn't be that hard but I'm busting my head. What am I missing?

Ultimately I need to put this into a data model for a Pivot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmattern
Builder
‎02-18-2014 08:39 AM

I think I finally figured it out. This search returns only those IIS events that have duplicate cs_uri-query fields.

sourcetype="iis" cs_uri_query="*_seq*"  
| stats first(cs_uri_query) as DupFile, first(cs_username) as Customer, count(cs_uri_query) AS Duplicates by cs_uri_query  
| where Duplicates>1 
| table Customer, DupFile, Duplicates

View solution in original post

Reply
Solved! Jump to solution
Solution

kmattern
Builder
‎02-18-2014 08:39 AM

I think I finally figured it out. This search returns only those IIS events that have duplicate cs_uri-query fields.

sourcetype="iis" cs_uri_query="*_seq*"  
| stats first(cs_uri_query) as DupFile, first(cs_username) as Customer, count(cs_uri_query) AS Duplicates by cs_uri_query  
| where Duplicates>1 
| table Customer, DupFile, Duplicates
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-18-2014 10:29 AM

ps : please mark your question as answered with the left checkbox to accept your own answer 🙂

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-18-2014 10:27 AM

this is the good method.

to find a dulpicate field
* | stats count by myfield | where count>1

to look at the whole events
* | stats count by _raw | where count>1

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-18-2014 08:36 AM

In splunk, do you see duplicate data for the files uploaded multiple times?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...