Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to decrease the count for everr search that is true

santohang
New Member
‎01-22-2018 03:06 PM

I'm trying to remove duplicates log from the search result every time the page is refreshed.
eg
index=main "Entered into page B"

The possibility here is, this message will be printed when navigating from page A to page B.
This will be printed again everytime the page refreshes.
So, I have a separate log that looks something like this "page is refreshed".
I do know | dedup function will be able to remove the duplicate but this will not be suitable for use here since the "Entered into page B" may also be true if navigating from page C to Page B.

How can I utilize the "Page is refreshed" log to only return one result for every time the "page is refreshed" is true ?

Thank you in advance

0 Karma
Reply

niketn
Legend
‎01-22-2018 11:24 PM

@santohang, can you add samples for all events you are talking about? Is there any information in the log that you can identify whether the source was page A or page C?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nickhills
Ultra Champion
‎01-23-2018 01:01 AM

I was going to say something similar - if you have the referrer you can dedup by "page" and "referrer" '|dedup page referrer|` this would give you a record of each page load and the previous page. Where this approach falls down, if if someone goes a->b. b->c. c->a. and then a->b. as it will only show the last occurrence.
Another alternative is to exclude results where the 'hits' where the referrer matches the page (but this depends on the way your server logic is configured)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mayurr98
Super Champion
‎01-22-2018 10:18 PM

can you try | stats latest(_raw)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...