Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignore some duplicate events

philallen1
Path Finder
‎10-17-2013 05:31 AM

Hi

There is a checkbox in my app that turns a comparison column to a set of data on or off.

When the user enters the page, by default the comparison column is set to off, so the log to the server has the string "income" in it somewhere.

If the user turns this checkbox on, a second log is sent to the server with the string "incomeComparison", replacing "income".

I need to measure how many times the user flicks between views. Ultimately I want to be able to say something like "the user has accessed this page 10 times, but only ever clicked on the checkbox once", for example.

So far, straightforward...

My problem is the following: we have a polling service that refreshes the view every 1 minute. So every 1 minute another log is sent to the server. If you have the checkbox ticked (resulting in the log with the string "incomeComparison" existing) and you leave your computer for 5 minutes, you'll get 5 logs in a row each with the string "incomeComparison".

So if I come in with it unchecked and click on the checkbox immediately, then leave my computer for 5 minutes, I end up with the following count:

"income" = 1

"incomeComparison" = 5

But in reality, the actual count should be:

"income" = 1

"incomeComparison" = 1 - because I should ignore the polling logs.

.

I know the simple solution would be to add something to the polling logs to distinguish the difference in Splunk. But is there anything I can do in the search query to filter out the polled logs (i.e. the logs between each change, as it were)?

So if I had logs in this order:

10.00.00am "income"

10.00.30am "incomeComparison"

10.01.30am "incomeComparison"

10.02.30am "incomeComparison"

10.03.00am "income"

10.04.00am "income"

10.04.15am "incomeComparison"

10.05.15am "incomeComparison"

.

Instead of the count being:

"income" = 3

"incomeComparison" = 5

it should be:

"income" = 2

"incomeComparison" = 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

Reply
Solved! Jump to solution

philallen1
Path Finder
‎10-17-2013 05:37 AM

Yeah, I agree with you. The more I think about it the more difficult it gets (i.e. with multiple users accessing the page at the same time)

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...