Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dedup within span

erkin
Engager
‎03-20-2024 07:54 AM

Hi!

I have an issue with a query and the dedup command. 

 

| eval service=case(
(method="GET" AND match(uri, "/v1/[a-zA-Z]{2}/customers\?.*searchString=[^&]+.*")), "FindCustomer",
(method="GET" AND match(uri, "/v2/[A-Za-z]{2}/private-customers(/[a-zA-Z0-9-]+)?(?!/)")), "ReadCustomer")
| stats count by service

 



Unfortunately I have been noticing that my events matching to "ReadCustomer" are logged twice. Therefore I get two events right after each other with a couple of seconds in between, which is polluting my results. I need to somehow duplicate events, which have the same uri and happen within 10s of each other. I was thinking to use 

 

|dedup uri

 

 but realized that I want to allow the same uri, if it is more than 10 seconds between the events. If dedup could take a span, that would be the optimal way for me.

Does anyone have a good idea on how to solve this? I was also thinking about | transaction  as well but I'm not sure if I can use it...


Labels (1)
Labels
Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-20-2024 08:25 AM

Hi

what you have in _raw data? Are those real duplicate events or those real events which really should be on logs?

If those are correctly in logs and there should be "same" event twice, you probably could mark "duplicates" with streamstats adding some count and then removing those duplicate on your stats count line?

see.  https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Streamstats

Something like

...
| <set your service>
| streamstats time_window=10s count as dup_count by service, <other fields to match events correctly>
| where dup_count < 2
| stats ....

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...