Getting Data In

Why does my search that checks for extract yield events twice with two different timestamps?

shakeel253
Explorer

I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.

But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results

9/27/17

7:30:04.734 AM

2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662
date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default

9/27/17
12:50:47.694 AM
2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195
date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The query ran twice successfully in the time range.

In order to dedup them, you will need to identify what part of the event identifies a unique extract.

Try this...

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO 
com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" 
| rex "source = (?<sourcelog>.*.log)" 
| dedup sourcelog
| stats count
0 Karma

shakeel253
Explorer

The above query didnt give me required results.
This is the query i am running, if you closely look the highlighted time stamp, the results are being replicated, what can i add to the query that it wont replicate date_mday

host=TABLEAU "(SEVIS,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository" | stats count

10/13/17
5:03:05.749 AM

2017-10-13 01:03:05.749 -0400 (ABCDE,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17936 size:12999 (twb) + 1709242 (guid={0E61DCE4-54DC-4855-B7D2-ADED09CD280F}) = 1722241
date_mday = 13 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default
10/13/17
12:39:41.996 AM
2017-10-12 20:39:41.996 -0400 (ABCDE,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17935 size:13010 (twb) + 1709226 (guid={423E7580-4F13-44FC-8A20-B14A3056FD77}) = 1722236
date_mday = 12 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---_:
.....-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-0.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...