Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart & Stats Dc.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wondered whether someone may be able to help me please.
I'm using the query below which works but contains duplicate id numbers under field "detail.ur"
index=main auditSource=preferences-frontend auditType=TxSucceeded tags.transactionName="Show Print Preference Option"
|eval Interstitpage=if('detail.journey'="Interstitial",1, 0 )
|eval AccountPage=if('detail.journey'="AccountDetails",1, 0 )
|timechart span=1d sum(Interstitpage) AS ShownInterstitial, sum(AccountPage) AS ShownAccountPage
|reverse
I'm trying to incorporate the "stats dc" command to remove these duplicates rather than the dedup because there are a lot of records involved and I know the dedup can be a little inefficient.
I've tried incorporating the "stats dc" in multiple areas of the query but I just can't get this to work.
I just wondered whether someone may be able to point me in the right direction so I may be able to get this to work.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search does not contain any reference to field detail.ur so it cannot exist in your results and there is no way to examine it. If you know that your data has duplicate events then the proper thing to do is reduce them before you pas to timestats/chart/stats. The most straightforward (and perfectly correct/efficient) way to do this is by using dedup detail.ur as soon as possible before timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search does not contain any reference to field detail.ur so it cannot exist in your results and there is no way to examine it. If you know that your data has duplicate events then the proper thing to do is reduce them before you pas to timestats/chart/stats. The most straightforward (and perfectly correct/efficient) way to do this is by using dedup detail.ur as soon as possible before timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try :
index=main auditSource=preferences-frontend auditType=TxSucceeded tags.transactionName="Show Print Preference Option"
|eval Interstitpage=if('detail.journey'="Interstitial",1, 0 )
|eval AccountPage=if('detail.journey'="AccountDetails",1, 0 )
|timechart span=1d sum(Interstitpage) AS ShownInterstitial, sum(AccountPage) AS ShownAccountPage by "detail.ur"
|reverse
or
...|rename "detail.ur" as ID |timechart span=1d sum(Interstitpage) AS ShownInterstitial, sum(AccountPage) AS ShownAccountPage by ID| reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for coming back to me with this.
I have tried the first query you kindly provided, but unfortunately this doesn't work because it actually creates a column for each "detail.ur" value, rather than summing these under "ShownInterstitial" and "ShowAccountPage" and unfortunately your second query doesn't return any results.
Many thanks and kind regards
Chris
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
Announcing Modern Navigation: A New Era of Splunk User Experience
