Splunk Search

How do I group per N minutes and remove duplicates within those?

rune_hellem
Contributor

The inital search is this:

index=myindex myapplication UID=* IDX=* IDOK=*  | dedup IDX |  table _time,UID,IDX,IDOK 

I have been asked to create a report that shows the same for lets say the last 24 hours — but not removing all duplicates, only duplicates within each 5 minutes time slot. I guess time slot is created using span, but not sure how to ensure that I do not get duplicate IDX'es.

Tags (3)

kmorris_splunk
Splunk Employee
Splunk Employee

Give this a try:

index=myindex myapplication UID=* IDX=* IDOK=*  | bin _time span=5m | dedup _time IDX |  table _time,UID,IDX,IDOK

The bin will group in 5 minute chunks. Doing the dedup on both _time (a five minute chunk) and IDX will dedup on IDX within the five minute block.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...