Activity Feed
- Posted In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
- Tagged In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
- Tagged In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
- Tagged In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
- Tagged In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
- Tagged In a time limited table, I'd like to indicate which field values are unique across the whole data set? on Splunk Search. 01-27-2018 07:38 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-27-2018
09:44 PM
Three strategies:
1) If this is an indexed field, then you can use tstats to find the first instance of the value.
2) You could create a summary index that includes the first and last appearance of the value.
3) You could periodically create a lookup table that includes the first and last appearance of the value.
It's not particularly heavy to periodically create a lookup table with first and last occurrence of each username,
Then you create your ongoing search that creates a new record for each occurrence, with first and last occurrence fields set to the new data/time stamp, and stats them together to get the earliest first and latest last occurrence fields for each.
If the first and last occurrence are the same -- or if the first occurrence is within a certain window, then a post process search would pop them over to a second panel.
... View more
