Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove consecutive repeat events by an unique user?

tanyongjin
Explorer
‎05-10-2017 08:00 PM

How can I remove events that are repeated consecutively?

For example, my logs shows:
Timestamp 1 | Event A | User 1
Timestamp 2 | Event B | User 2
Timestamp 3 | Event B | User 2
Timestamp 4 | Event C | User 1
Timestamp 5 | Event C | User 1
Timestamp 6 | Event C | User 2
Timestamp 7 | Event A | User 2

How can I make it to:
Timestamp 1 | Event A | User 1
Timestamp 2 | Event B | User 2
Timestamp 4 | Event C | User 1
Timestamp 6 | Event C | User 2
Timestamp 7 | Event A | User 2

I am able to cluster events that occur close to each other via transaction maxpause, but it also clusters events from different users. How can I get around it?

Thank you!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ckunath
Communicator
‎05-11-2017 07:03 AM

You can specify fields when using transaction aswell as the maximum time that the events can be apart. That should un-clutter your transactions.

your search | transaction User maxspan=5m

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-11-2017 08:44 AM

Here's run-anywhere code to make your test data... 

| makeresults | eval mydata= "1=A 2=B 2=B 1=C 1=C 2=C 2=A" | makemv mydata | mvexpand mydata | rex field=mydata "(?<User>[^=]+)=(?<Event>.*)" | eval User = "User ".User | eval Event="Event ".Event | streamstats count as recno | eval _time =relative_time(now(),"-1h@h") + recno 
| rename COMMENT as "The above just generates your test data."

Then you can do either this....

| rename COMMENT as "This assumes that the Events have a completely unique key."
| stats min(_time) as _time by User Event | table _time Event User  | sort 0 _time

... or this... 

| rename COMMENT as "This assumes that the Events have an event type that is not unique."
| sort 0 _time 
| streamstats current=f last(Event) as lastEvent by User
| where isnull(lastEvent) OR Event!=lastEvent
0 Karma
Reply
Solved! Jump to solution
Solution

ckunath
Communicator
‎05-11-2017 07:03 AM

You can specify fields when using transaction aswell as the maximum time that the events can be apart. That should un-clutter your transactions.

your search | transaction User maxspan=5m
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...