My problem is that in my data source, when a user logs on there can be a single entry or multiple entries. I need to eliminate the duplicates for each time interval but allow for future events by that User ID. I have tried dedup and distinct count. Does anyone have any suggestions?
index=* prdwfcs*/88 WFCSUID=UserID | stats count dc(WFCSUID)
index=* prdwfcs*/88 WFCSUID=UserID | dedup WFCSUID
If the duplicates have same timestamp and other entries from that User Id are different, dedup of _time should do the job for you.
If the duplicates have same timestamp and other entries from that User Id are different, dedup of _time should do the job for you.
Just took care of it @Jeff_Lightly_Splunk 🙂
If possible, consider marking somesoni2's comment as an answer and accepting that answer. This will help others who may have similar issues in the future and it helps spread karma 🙂
Thank you somesoni2. dedup by _time did solve my issue.
Yes, they have the same time stamp. I had not thought of it from that aspect. Thank you!
Does the multiple/duplicate login entries have same time stamp? Could you post some sample of duplicate entries?