Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dedup on Field over time span

triva79
Explorer
‎05-20-2024 06:27 AM

we have data in Splunk for user sessions in an app and I am trying to produce a line graph to show usage every hour. the session information is added 4 times an hour so trying to remove the extra results per hour

below is an example for one user but there will be other user data as well 

userName: fred
sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8
timestamp: 2024-05-20T12:00:00Z

userName: fred
sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8
timestamp: 2024-05-20T12:30:00Z

userName: fred
sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8
timestamp: 2024-05-20T12:45:00Z

userName: fred
sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8
timestamp: 2024-05-20T13:00:00Z

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2024 06:39 AM

The session is only present 3 times in the hour, the fourth one at 13:00 is in the next hour

Anyway, assuming you still want to count different sessions for the same user separately, you can do the stats twice

| bin _time span=1h
| stats count by _time, userName, sessionKey
| stats count by _time, userName

Depending on what count you actually want, you could also do this

| bin _time span=1h
| stats count by _time, userName, sessionKey
| stats count by _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎05-20-2024 07:34 AM

@triva79 

How about...

| timechart span=1h limit=50 useother=false dc(userName) as count by userName


or maybe...

| eval session=userName+":"+sessionKey
| timechart span=1h limit=50 useother=false dc(session) as count by session
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2024 06:39 AM

The session is only present 3 times in the hour, the fourth one at 13:00 is in the next hour

Anyway, assuming you still want to count different sessions for the same user separately, you can do the stats twice

| bin _time span=1h
| stats count by _time, userName, sessionKey
| stats count by _time, userName

Depending on what count you actually want, you could also do this

| bin _time span=1h
| stats count by _time, userName, sessionKey
| stats count by _time
0 Karma
Reply
Solved! Jump to solution

triva79
Explorer
‎05-20-2024 07:52 AM

thanks so much 🙂 only my 2nd day using Splunk

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2024 08:38 AM

Hi @triva79 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2024 06:34 AM

Hi @triva79,

you could use timechart or dedup:

<your_search>
| timechart span=1h count BY userName

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...