Re: Exclude the logs with the same time for search...

JiachengWei · ‎06-23-2021

Hi Guys,

I'd like to exclude the logs with same time for the search results

_time _raw

2021-5-26 00:00:00 A

2021-5-26 00:00:00 B

2021-5-26 00:05:00 C

2021-5-26 00:10:05 D

What I'd like to see:

_time downtime

2021-5-26 00:05:00 C

2021-5-26 00:10:05 D

Would you please share how I can do this? Thanks!

aasabatini · ‎06-23-2021

Hi @JiachengWei

try to use dedup command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

maybe it's better transform the time field in another one to avoid conflict

example:

<your search>
| eval date=strftime(_time,"%d-%m-%Y %H:%M:%S")
| dedup date

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

JiachengWei · ‎06-23-2021

@aasabatini Thanks for sharing. But the dedup will only delete the duplicate log. I believe it will show as below:

_time _raw

2021-5-26 00:00:00 A

2021-5-26 00:05:00 C

2021-5-26 00:10:05 D

What I'd like to see:

_time downtime

2021-5-26 00:05:00 C

2021-5-26 00:10:05 D

Do you have any other ideas? Thanks

aasabatini · ‎06-24-2021

Hi @JiachengWei

I'm sorry I didn't get the point

ok I used this method, I converted the time to epoch to have a unique number, I created a eventstats to know how many events are present for epoch time value and I filtered events only by unique timestamp

<your search>
| eval epoch_convert=_time
| eventstats count as "events_number" by epoch_convert
| where events_number=1

if this search help you karma point or solution confirmation is appreciated

Ale

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Exclude the logs with the same time for search results

other

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?