I am creating transactions based on userId like this to find paths taken by a user in a session:
* | transaction mvlist=t userId maxpause=900s | table name, dt
Say I get a transaction that looks like this (just an example):
A, 14:35:07
A, 14:35:07
B, 14:36:00
C, 14:36:30
C, 14:36:30
D, 14:37:05
Events 1 & 2 and 4 & 5 are duplicate. I am not sure why I get these results, but in any case I want to remove the duplicate events, to make the transaction look like this:
A, 14:35:07
B, 14:36:00
C, 14:36:30
D, 14:37:05
Any idea how I could do this for all transactions?
Maybe this?
... | transaction mvlist=t userId maxpause=900s | dedup name dt | table name, dt
Maybe this?
... | transaction mvlist=t userId maxpause=900s | dedup name dt | table name, dt
I figured it out now, it works if I do the dedup before creating the transaction. Thanks!
It doesn't seem to do anything. Maybe there's something wrong with the rest of my search, here is the entire search string:
The duplicates are still there.
Although it should work according to example 5 here:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Dedup