Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dedup all redundant data in a column...having an issue

infra2sec
Path Finder
‎07-14-2016 05:40 AM

I am new and learning Splunk.

I created a search where multiple time stamps are revealed in a column. I'd just like that time stamp to show up once in my search results.

I tried using Dedup, but it takes all of the date time stamps away.

The search listed below works the way I want it to with that exception.

index=xyz sourcetype="xyz:xyz:xyz" | table_time | eval Date =strftime(_time, "%Y%m%d") | table Date | rename Date as "Date that something happened" | dedup Date

Thanks!

Tags (1)
0 Karma
Reply

infra2sec
Path Finder
‎07-18-2016 10:37 AM

You all are awesome. Starting to get the results that I need. Wanted to report back, but I could only post 2 times per day.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 02:53 PM

Like this:

index=xyz sourcetype="xyz:xyz:xyz" | bucket span=1d _time | dedup _time | rename _time AS "Date that something happened"
0 Karma
Reply

Stevelim
Communicator
‎07-14-2016 08:56 AM

Hey, to list out unique values, you should look into stats command as well

Base search to filter out the correct events | table_time | eval Date =strftime(_time, "%Y%m%d") | stats list(Date)

Here's an example:

index=* Value>60 | eval Date = strftime(_time, "%Y%m%d") | stats values(Date) as Date | mvexpand Date

alt text

Preview file
19 KB
0 Karma
Reply

sundareshr
Legend
‎07-14-2016 06:00 AM

Try this

index=xyz sourcetype="xyz:xyz:xyz" | timechart span=1d count | eval "Date that something happened"=strftime(_time, "%Y%m%d") | table "Date that something happened"
0 Karma
Reply

infra2sec
Path Finder
‎07-14-2016 05:49 AM

Thank you very much. Is there a way to do that myself? I searched and didn't find a way.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-14-2016 05:48 AM

you could do something like this
index=xyz sourcetype="xyz:xyz:xyz" | eval Date =strftime(_time, "%Y%m%d") | dedup Date | table Date | rename Date as "Date that something happened"
OR
index=xyz sourcetype="xyz:xyz:xyz" | eval Date =strftime(_time, "%Y%m%d") | stats count by Date | rename Date as "Date that something happened"
repeting table two times is more slow and not mandatory.
Bye.
Giuseppe

0 Karma
Reply

javiergn
Super Champion
‎07-14-2016 05:47 AM

I have edit your title as per the comment above

0 Karma
Reply

infra2sec
Path Finder
‎07-14-2016 05:42 AM

Title should have read "........Dedup all redundant data in a column...having an issue"

0 Karma
Reply

infra2sec
Path Finder
‎07-14-2016 05:42 AM

Title should have read "........Dedup all redundant data in a column...having an issue"

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...