Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to dedup by span?

the_wolverine
Champion
‎06-08-2012 11:44 AM

I'm try to chart some data using span=1d and was wondering if it possible to dedup data across a timerange with span?

For example, I want to dedup duplicate users in a single day, but I also want those users to show up in previous days when I'm charting over a week.

I'm guessing * | dedup user | timechart span=7d .. would eliminate users from showing up in day 2-7.

I hope that makes sense.

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎06-08-2012 03:18 PM

* | timechart dc(user) span=7d

where dc means "distinct count of".

This will make timechart count the distinct users per bucket, and since the span argument is setting the bucket size to 7 days, in the end you'll be counting the distinct users in every 7 day period.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-09-2012 11:52 AM

Probably, but you'll have to tell me more because that pseudo-search-syntax is pretty ambiguous. To take a wild guess and at least tell you something interesting -- you can use the bin command to bucket numeric quantities, and then use stats/chart/timechart to group by those bucketed values. ie "* | bin someNumericField span=100 | stats count over someNumericField" will yield a nice chart with "0-100", "100-200", "200-300" as the x-axis.

0 Karma
Reply

the_wolverine
Champion
‎06-09-2012 12:16 AM

I'll test this, thank you. Is there a way to chart top(field) limit=X with using a span?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-08-2012 12:00 PM

Makes sense. Depending on what you ultimately want out of the logs, something like this could work;

...| stats values(user) by date_wday

or date_mday if that suits you better.

UPDATE:

or rather use;

... earliest=-X latest=-Y | timechart span=1d values(user)

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...