Using dedup in multi-month query

wu_weidong · ‎02-19-2020

I'm trying to create a timechart showing the count of events over 6 months. The query is

index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | dedup f_1 f_2 | timechart count by id span=1mon

The goal is to dedup within that month only, not across all 6 months. For example, if the same values of f_1,f_2 appear in all 6 months, I should get 1 count of f_1,f_2 in each of the 6 months, not only in the last month. However, it seems like the f_1,f_2 values will be dedup across all 6 months, and appear only in the last month.

Can I bin events by the months they appear in, then dedup within that month only to achieve this? Or is there another way?

to4kawa · ‎02-28-2020

index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") 
| eval category = case(...) 
| eval fields = split(name,"_") 
| eval mname = mvindex(fields,1) 
| search category = "promo" 
| eval f_1_tmp=f_1.":".strftime(_time,"%Y%m"),f_2_tmp=f_2.":".strftime(_time,"%Y%m")
| dedup f_1_tmp f_2_tmp 
| timechart count by id span=1mon

Using dedup in multi-month query

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

Using dedup in multi-month query

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...