Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ignore some duplicate events

philallen1
Path Finder
‎10-17-2013 05:31 AM

Hi

There is a checkbox in my app that turns a comparison column to a set of data on or off.

When the user enters the page, by default the comparison column is set to off, so the log to the server has the string "income" in it somewhere.

If the user turns this checkbox on, a second log is sent to the server with the string "incomeComparison", replacing "income".

I need to measure how many times the user flicks between views. Ultimately I want to be able to say something like "the user has accessed this page 10 times, but only ever clicked on the checkbox once", for example.

So far, straightforward...

My problem is the following: we have a polling service that refreshes the view every 1 minute. So every 1 minute another log is sent to the server. If you have the checkbox ticked (resulting in the log with the string "incomeComparison" existing) and you leave your computer for 5 minutes, you'll get 5 logs in a row each with the string "incomeComparison".

So if I come in with it unchecked and click on the checkbox immediately, then leave my computer for 5 minutes, I end up with the following count:

"income" = 1

"incomeComparison" = 5

But in reality, the actual count should be:

"income" = 1

"incomeComparison" = 1 - because I should ignore the polling logs.

.

I know the simple solution would be to add something to the polling logs to distinguish the difference in Splunk. But is there anything I can do in the search query to filter out the polled logs (i.e. the logs between each change, as it were)?

So if I had logs in this order:

10.00.00am "income"

10.00.30am "incomeComparison"

10.01.30am "incomeComparison"

10.02.30am "incomeComparison"

10.03.00am "income"

10.04.00am "income"

10.04.15am "incomeComparison"

10.05.15am "incomeComparison"

.

Instead of the count being:

"income" = 3

"incomeComparison" = 5

it should be:

"income" = 2

"incomeComparison" = 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎10-17-2013 05:35 AM

I believe the best solution for you in this case would be as you said, edit the polling logs so they are easier to interpret and therefore easier for you to maintain and query with Splunk going forward.

Reply
Solved! Jump to solution

philallen1
Path Finder
‎10-17-2013 05:37 AM

Yeah, I agree with you. The more I think about it the more difficult it gets (i.e. with multiple users accessing the page at the same time)

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...