Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex by ID removing duplicates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex by ID removing duplicates
leandromatperei
Path Finder
11-26-2019
04:03 PM
Hello everyone.
I have a code below where each event is determined by the line break. I am wanting to take the value from the "InteractionId" parameter and check that there are no duplicates.
'
I believe it could be a regex that only filters by 'InteractionId' [str] = "value"
But I'm not sure.
2019-11-23T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = "Resources"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = "00052aEWU1VF525"
'TenantId' [int] = 101
'MediaType' [str] = "email"
'InteractionType' [str] = "Inbound"
'InteractionSubtype' [str] = "InboundNew"
2019-11-24T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = "Resources"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = "00052aEWU1VFB525"
'TenantId' [int] = 101
'MediaType' [str] = "email"
'InteractionType' [str] = "Inbound"
'InteractionSubtype' [str] = "InboundNew"
2019-11-25T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = "Resources"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = "00052aEWU1VFB34B"
'TenantId' [int] = 101
'MediaType' [str] = "email"
'InteractionType' [str] = "Inbound"
'InteractionSubtype' [str] = "InboundNew"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-26-2019
08:41 PM
Like this:
| makeresults
| eval raw="2019-11-23T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = \"Resources\"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = \"00052aEWU1VF525\"
'TenantId' [int] = 101
'MediaType' [str] = \"email\"
'InteractionType' [str] = \"Inbound\"
'InteractionSubtype' [str] = \"InboundNew\"
:::2019-11-24T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = \"Resources\"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = \"00052aEWU1VFB525\"
'TenantId' [int] = 101
'MediaType' [str] = \"email\"
'InteractionType' [str] = \"Inbound\"
'InteractionSubtype' [str] = \"InboundNew\"
:::2019-11-25T18:08:04.990 Trc 24102 Sending to Universal Routing Server: urs_ad_ucl_ctmm_p: 'EventRouteRequest' (71) message:
AttributeCustomerID [str] = \"Resources\"
AttributeConnID [long] = 093902ed259a99fc
AttributeMediaType [int] = -1
AttributeCallID [int] = 543269
AttributeCallType [int] = 0
'InteractionId' [str] = \"00052aEWU1VFB34B\"
'TenantId' [int] = 101
'MediaType' [str] = \"email\"
'InteractionType' [str] = \"Inbound\"
'InteractionSubtype' [str] = \"InboundNew\""
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rename COMMENT AS "Everthing above generates sample event data; everything below is your solution"
| rex max_match=0 "\s+\'?(?<key>\S+)\'?\s\[\S+\]\s=\s\"?(?<value>[^\"\s]+)"
| eval _raw = mvzip(key, value, "=")
| kv
| eventstats count BY InteractionId
| where count > 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-26-2019
04:29 PM
If Each event is determined by the linebreak then your situation is hopeless; surely that is not true! Are you sure it isn't that Each event is determined by timestamp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leandromatperei
Path Finder
11-26-2019
04:42 PM
That's right, it's by timestamp.
The timestamp is breaking the event normally, my question is how much interactions within the 'Interaction' parameter [str] =
Get Updates on the Splunk Community!
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0
mTLS wasn’t just a checkbox ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
