Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search query: Unique values based on time

siddharth1479
Path Finder
‎01-07-2020 08:26 AM

Hi Community,
I'm using the search query to search for the user activity and I get the results with duplicate rows with the same user with the same time. The time format is as follows: YYYY-DD-MM HH:MM:SS:000. I get the result as following:

USER | TIME
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 08:58:51

abcd | 2020-06-01 09:32:27
abcd | 2020-06-01 09:32:27
abcd | 2020-06-01 09:32:27

The output I desire is:

USER | TIME
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 09:32:27

Search query I'm using is:
index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | fields "USER" "TIME"

How do I get the unique values, because it seems that Splunk compares the time upto milliseconds.
Can anyone please help me out?

Thanks,
Sid

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

willemjongeneel
Communicator
‎01-13-2020 08:27 AM

Hello,

Maybe you can try to dedup using a stringconcat on user and time fields?

Something like:

index="uam" User="abcd"
| eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
| rename access_time as TIME
| eval key=tostring(TIME)+tostring(User)
| dedup key
| table User, TIME

Kind regards,
Willem Jongeneel

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-13-2020 09:18 AM

@siddharth1479 Try this 

index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | rename access_time as TIME|fields "USER" "TIME"| dedup USER TIME
0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-14-2020 08:58 AM

Hi,
Thanks for the help. Dedup logic seems to be working.

0 Karma
Reply
Solved! Jump to solution
Solution

willemjongeneel
Communicator
‎01-13-2020 08:27 AM

Hello,

Maybe you can try to dedup using a stringconcat on user and time fields?

Something like:

index="uam" User="abcd"
| eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
| rename access_time as TIME
| eval key=tostring(TIME)+tostring(User)
| dedup key
| table User, TIME

Kind regards,
Willem Jongeneel

0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-14-2020 08:55 AM

Hi,
Thanks for the help. Seems to be working with this logic and also made some changes to the logs itself to uniquely identify each entry only once.

0 Karma
Reply
Solved! Jump to solution

heissenberg
New Member
‎01-13-2020 08:21 AM

index="uam" User="abcd"
| eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
| fields "USER" "TIME"
| dedup "USER","TIME"

0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-14-2020 08:57 AM

Hi,
I think you need to rename the access_time as TIME, and yes dedup logic seems to be working.

Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-07-2020 01:42 PM 
index="uam" User="abcd" 
 | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
 | stats values(User) as USER by access_time
 | rename access_time as TIME

hi, try this.

0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-13-2020 07:43 AM

Hi, sorry for late reply. I tried this but it isn't helping. I still get duplicate "Seconds".

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-13-2020 08:50 AM

@siddharth1479
|stats values(User) as USER by access_time
This will be aggregated by the access_time string.
Are they really duplicates?
Please show me the results.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-13-2020 08:58 AM 
| makeresults
|eval _raw="USER,TIME
abcd ,2020-06-01 08:58:51
abcd ,2020-06-01 08:58:51
abcd ,2020-06-01 08:58:51

abcd ,2020-06-01 09:32:27
abcd ,2020-06-01 09:32:27
abcd ,2020-06-01 09:32:27"
| multikv forceheader=1
| rename COMMENT as "your result"
| table USER,TIME
| stats values(USER) as USER by TIME
| table USER,TIME

This is OK.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎01-07-2020 11:47 AM

stats is your friend here

Try something like this:

index="uam" User="abcd" 
| eval Timeime=strftime(_time, "%Y-%d-%m %H:%M:%S")
| stats count by User Time
| fields - count
0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-07-2020 01:12 PM

Hey @wmyersas ,
Thanks for the help.

As I said, Splunk compares the time difference by milliseconds and not by seconds, its still shows the same result which it showed before.

Thanks,
Sid

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎01-09-2020 07:54 AM

If you've already formatted the time into a new format, then you don't need to worry about the milliseconds 🙂

0 Karma
Reply
Solved! Jump to solution

siddharth1479
Path Finder
‎01-13-2020 07:43 AM

Hi, sorry for late reply. I tried this but it isn't helping. I still get duplicate "Seconds".

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎01-13-2020 02:13 PM

Then change your time format to something less granular 🙂

0 Karma
Reply
Solved! Jump to solution

sheamus69
Communicator
‎01-08-2020 08:10 AM

Looks like a typo there:

 index="uam" User="abcd" 
 | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S")
 | rename access_time as TIME
 | stats count by USER TIME
 | fields - count

Should sort it

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎01-09-2020 07:55 AM

I was going off OP - but you're right, he was missing a rename in there 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top