Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

If two events occur X seconds apart ignore the first one

dbcase
Motivator
‎01-24-2017 08:21 PM

Hi,

I have a log file that reports an event twice. It is the exact same event except it is repeated 1 or 2 or 3 or up to 5 seconds apart. It is only repeated twice. What I'd like to do is ignore the first event and report the second event.

Tags (1)
0 Karma
Reply

niketn
Legend
‎01-25-2017 06:55 AM

Can you add your field names and some sample data?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

dbcase
Motivator
‎01-25-2017 07:51 AM

Sure!

Here is the query that I have

index=cox stuck OR unstuck  | rex "GET\s(?<URL>\S+)"  | rex "(?<threadStatus>(STUCK|unstuck))"| rex "(?:.*?ExecuteThread:\s'){2}(?<threadID>\S+)[']"  | eval timestamp=strftime(_time,"%x %X")| sort _time| dedup threadID host _time| stats list(URL) as URL list(timestamp) as Time list(threadStatus) as "Thread Status" by host threadID|sort host threadID

It generates a report that looks like this

host .               threadID           URL                                                                Time                     Thread Status

host_portal1    7                  /rest/icontrol/sites/72178/rules                01/24/17 03:01:03            STUCK
                                                  /rest/icontrol/sites/72178/rules                  01/24/17 03:02:03           STUCK
                                                                                                                            01/24/17 03:02:10           unstuck

If you notice the first two lines they are identical except for the 1 second differential in time. I'd like to eliminate one of the two lines (doesn't matter which one) so the report looks like this

host . threadID URL Time Thread Status

host_portal1    7                  /rest/icontrol/sites/72178/rules                01/24/17 03:01:03            STUCK
                                                                                                                           01/24/17 03:02:10           unstuck

Does that help?

0 Karma
Reply

dbcase
Motivator
‎01-25-2017 07:52 AM

Ugh well the formatting kinda sucks but hopefully you can get the idea.....

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-24-2017 08:51 PM

Hi dbcase,

I think you can use the dedup command to remove deplicate events that contain identical combination of values for the fields that you specify. You can specify the number of events with duplicate values, or value combinations, to keep. You can sort the fields. When you sort, the dedup command deduplicates the results based on the specified sort-by fields.
For example, assuming you use clientip and action to identify events, you can use the following search: 

... | dedup clientip action sortby +_time

For detailed information about the dedup command, please refer to documentation:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Dedup
Hope this helps. Thanks!
Hunter

0 Karma
Reply

dbcase
Motivator
‎01-25-2017 04:43 AM

Hi Hunters,

I thought about that but the challenge is the event is identical except for the time. So if I dedup and exclude the time I remove other events that I'm interested in. If I dedup and include the time it doesn't do anything because the time is unique.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...