Solved: Using Dedup by location?

zsizemore · ‎07-25-2016

Hi,

Right now my code is: | stats earliest(_time) as first_login latest(_time) as last_login by IP_address User | eval term=last_login-first_login | eval term=case(term>(86400*7), "Long", term>86400 AND term<(86400*7), "Short", term<86400, "Very Short") | iplocation IP_address | where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="") | stats dc(User) AS usercount by Country City term User | dedup User | eval temp=Country."##".City | chart sum(usercount) over temp by term | rex field=temp "(?.+)##(?.+)" | table Country City "Very Short" Short Long

I thought it was working the way I wanted to, but then through some cross-checking I noticed it's deduplicating the User globally, and my intentions are for it to only dedup it by the Country, or Country/City if that makes sense..

So if someone logs in Shanghai, China as "Very Short" and then logs in from Wuhan, China as "Very Short" (within the last 30 days), it's only counting the Shanghai login.

I've done some playing around with where I put the Dedup, but I can't seem to make any real headway.

Any guidance is appreciated.

pradeepkumarg · ‎07-25-2016

Try this

| dedup User Country City

This will remove any duplicate occurences of the User Country City combination

View solution in original post

pradeepkumarg · ‎07-25-2016

Try this

| dedup User Country City

This will remove any duplicate occurences of the User Country City combination

zsizemore · ‎07-25-2016

This seems to do what I was looking for! Such a simple fix haha, thank you!

Using Dedup by location?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!