Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignore some duplicate events

philallen1
Path Finder
‎10-17-2013 05:31 AM

Hi

There is a checkbox in my app that turns a comparison column to a set of data on or off.

When the user enters the page, by default the comparison column is set to off, so the log to the server has the string "income" in it somewhere.

If the user turns this checkbox on, a second log is sent to the server with the string "incomeComparison", replacing "income".

I need to measure how many times the user flicks between views. Ultimately I want to be able to say something like "the user has accessed this page 10 times, but only ever clicked on the checkbox once", for example.

So far, straightforward...

My problem is the following: we have a polling service that refreshes the view every 1 minute. So every 1 minute another log is sent to the server. If you have the checkbox ticked (resulting in the log with the string "incomeComparison" existing) and you leave your computer for 5 minutes, you'll get 5 logs in a row each with the string "incomeComparison".

So if I come in with it unchecked and click on the checkbox immediately, then leave my computer for 5 minutes, I end up with the following count:

"income" = 1

"incomeComparison" = 5

But in reality, the actual count should be:

"income" = 1

"incomeComparison" = 1 - because I should ignore the polling logs.

.

I know the simple solution would be to add something to the polling logs to distinguish the difference in Splunk. But is there anything I can do in the search query to filter out the polled logs (i.e. the logs between each change, as it were)?

So if I had logs in this order:

10.00.00am "income"

10.00.30am "incomeComparison"

10.01.30am "incomeComparison"

10.02.30am "incomeComparison"

10.03.00am "income"

10.04.00am "income"

10.04.15am "incomeComparison"

10.05.15am "incomeComparison"

.

Instead of the count being:

"income" = 3

"incomeComparison" = 5

it should be:

"income" = 2

"incomeComparison" = 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

Reply
Solved! Jump to solution

philallen1
Path Finder
‎10-17-2013 05:37 AM

Yeah, I agree with you. The more I think about it the more difficult it gets (i.e. with multiple users accessing the page at the same time)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...