Is it possible to dedup by span?

the_wolverine · ‎06-08-2012

I'm try to chart some data using span=1d and was wondering if it possible to dedup data across a timerange with span?

For example, I want to dedup duplicate users in a single day, but I also want those users to show up in previous days when I'm charting over a week.

I'm guessing * | dedup user | timechart span=7d .. would eliminate users from showing up in day 2-7.

I hope that makes sense.

sideview · ‎06-08-2012

* | timechart dc(user) span=7d

where dc means "distinct count of".

This will make timechart count the distinct users per bucket, and since the span argument is setting the bucket size to 7 days, in the end you'll be counting the distinct users in every 7 day period.

sideview · ‎06-09-2012

Probably, but you'll have to tell me more because that pseudo-search-syntax is pretty ambiguous. To take a wild guess and at least tell you something interesting -- you can use the bin command to bucket numeric quantities, and then use stats/chart/timechart to group by those bucketed values. ie "* | bin someNumericField span=100 | stats count over someNumericField" will yield a nice chart with "0-100", "100-200", "200-300" as the x-axis.

the_wolverine · ‎06-09-2012

I'll test this, thank you. Is there a way to chart top(field) limit=X with using a span?

kristian_kolb · ‎06-08-2012

Makes sense. Depending on what you ultimately want out of the logs, something like this could work;

...| stats values(user) by date_wday

or date_mday if that suits you better.

UPDATE:

or rather use;

... earliest=-X latest=-Y | timechart span=1d values(user)

Hope this helps,

Kristian

Is it possible to dedup by span?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!