Getting Data In

Why does my search that checks for extract yield events twice with two different timestamps?

shakeel253
Explorer

I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.

But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results

9/27/17

7:30:04.734 AM

2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662
date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default

9/27/17
12:50:47.694 AM
2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195
date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The query ran twice successfully in the time range.

In order to dedup them, you will need to identify what part of the event identifies a unique extract.

Try this...

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO 
com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" 
| rex "source = (?<sourcelog>.*.log)" 
| dedup sourcelog
| stats count
0 Karma

shakeel253
Explorer

The above query didnt give me required results.
This is the query i am running, if you closely look the highlighted time stamp, the results are being replicated, what can i add to the query that it wont replicate date_mday

host=TABLEAU "(SEVIS,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository" | stats count

10/13/17
5:03:05.749 AM

2017-10-13 01:03:05.749 -0400 (ABCDE,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17936 size:12999 (twb) + 1709242 (guid={0E61DCE4-54DC-4855-B7D2-ADED09CD280F}) = 1722241
date_mday = 13 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default
10/13/17
12:39:41.996 AM
2017-10-12 20:39:41.996 -0400 (ABCDE,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17935 size:13010 (twb) + 1709226 (guid={423E7580-4F13-44FC-8A20-B14A3056FD77}) = 1722236
date_mday = 12 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---_:
.....-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-0.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...