I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.
host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.
But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results
9/27/17
7:30:04.734 AM
2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662
date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default
9/27/17
12:50:47.694 AM
2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195
date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default
The query ran twice successfully in the time range.
In order to dedup them, you will need to identify what part of the event identifies a unique extract.
Try this...
host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO
com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract"
| rex "source = (?<sourcelog>.*.log)"
| dedup sourcelog
| stats count
The above query didnt give me required results.
This is the query i am running, if you closely look the highlighted time stamp, the results are being replicated, what can i add to the query that it wont replicate date_mday
host=TABLEAU "(SEVIS,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository" | stats count
10/13/17
5:03:05.749 AM
2017-10-13 01:03:05.749 -0400 (ABCDE,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17936 size:12999 (twb) + 1709242 (guid={0E61DCE4-54DC-4855-B7D2-ADED09CD280F}) = 1722241
date_mday = 13 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default
10/13/17
12:39:41.996 AM
2017-10-12 20:39:41.996 -0400 (ABCDE,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17935 size:13010 (twb) + 1709226 (guid={423E7580-4F13-44FC-8A20-B14A3056FD77}) = 1722236
date_mday = 12 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---_:.....-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-0.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default