cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jkinny
New Member
Member since: ‎11-30-2018
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-30-2018
View All

Re: How can I remove a second log entry from a que...

by in Building for the Splunk Platform
‎12-04-2018 08:36 AM
‎12-04-2018 08:36 AM
Thanks!! It turned out to be a mix, I ended up doing this: | sort limit=0 _time | dedup claimID sortby +_time The 'sort limit' seems to have arranged the list in the correct order for the 'sortby' to work correctly this time. I honestly don't know why your first answer didn't work, but glad to have gotten this anyway! ... View more

Re: How can I remove a second log entry from a que...

by in Building for the Splunk Platform
‎12-03-2018 10:50 AM
‎12-03-2018 10:50 AM
Thanks for the response Tom, I'll respond to your second answer first, unless I'm misunderstanding, I think that based on what I'm trying to do, I might need to stick with transaction. I'm basically trying to find instances where status=A exists, but there was no prior log message for the same claimID that shows editCode=CA010. The last section to the query here should turn up any 'orphans' (I don't know what you call an orphan that has a closing entry, but no beginning entry). so I tried adding both | dedup claimID sortby +_time and | dedup claimID sortby -_time to the end of my query, and unfortunately both seem to return the same result, and neither is the one that I want. If you look at my screenshot, adding the dedup/sortby command is returning only the top result in my log (@ .716) not the bottom (@.256) ... View more

How can I remove a second log entry from a query t...

by in Building for the Splunk Platform
‎11-30-2018 09:28 AM
‎11-30-2018 09:28 AM
I am using the transaction function to group several log entries by a 'claimID' field. I've noticed that when I do this, for each 'claimID' I am getting an extra log entry that gets returned 'outside' of the transaction. For all intents and purposes this second entry is a duplicate of the 'endswith' parameter of the transaction. I've tried using the 'dedup' function by the 'claimID' field, but it only seems to throw away the oldest result and keep the newest, as in, it removes the transaction block that I want, but keeps the duplicate. (in the attached screenshot, dedup would keep the top entry and remove the bottom transaction-fied entry) query: index=prd sourcetype=app source="/logs/app.log" ("editCode=CA010" OR "status=A") | transaction claimID endswith="status=A" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM