Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my search that checks for extract yield events twice with two different timestamps?

shakeel253
Explorer
‎09-27-2017 06:37 AM

I recently setup Splunk Dashboard integrated with Tableau, when i run below mentioned query it gives me a count of successful extract for today.

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" | stats count.

But recently when the query ran it shows two results for same extract when it should be 1, also,if you see both the events closely even though it has a date of 09/27/2017 but inside it displays date_mday = 27 for the second query result date_mday = 26. What can i add to the query where it does not duplicate and display Today results

9/27/17

7:30:04.734 AM

2017-09-27 03:30:04.734 -0400 (XXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXXPrgExtensions/extract repoExtractId:17503 size:12572 (twb) + 758672090 (guid={XXXXXXX) = 758684662
date_mday = 27 date_month = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-XX-XXX-X-XXX unix_category = all_hosts unix_group = default

9/27/17
12:50:47.694 AM
2017-09-26 20:50:47.694 -0400 (XXXXX,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: XXXXXX/extract repoExtractId:17494 size:12521 (twb) + 758649674 (guid={XXXXXXXX5}) = 758662195
date_mday = 26 date_month** = september date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+__(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder/backgrounder-3 splunk_server = ip-10-168-2-185 unix_category = all_hosts unix_group = default

0 Karma
Reply

DalJeanis
Legend
‎09-27-2017 12:12 PM

The query ran twice successfully in the time range.

In order to dedup them, you will need to identify what part of the event identifies a unique extract.

Try this...

host=TABLEAU splunk_server="ip-XX-XXX-X-XXX" "(XXXX,,,) pool-3-thread-1 : INFO 
com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: AAAAA_AAAAAAPrgExtensions/extract" 
| rex "source = (?<sourcelog>.*.log)" 
| dedup sourcelog
| stats count
0 Karma
Reply

shakeel253
Explorer
‎10-13-2017 05:51 AM

The above query didnt give me required results.
This is the query i am running, if you closely look the highlighted time stamp, the results are being replicated, what can i add to the query that it wont replicate date_mday

host=TABLEAU "(SEVIS,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository" | stats count

10/13/17
5:03:05.749 AM

2017-10-13 01:03:05.749 -0400 (ABCDE,,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17936 size:12999 (twb) + 1709242 (guid={0E61DCE4-54DC-4855-B7D2-ADED09CD280F}) = 1722241
date_mday = 13 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---:....._-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-1.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default
10/13/17
12:39:41.996 AM
2017-10-12 20:39:41.996 -0400 (ABCDE,,) pool-3-thread-1 : INFO com.tableausoftware.model.workgroup.service.VqlSessionService - Storing to repository: SEVIS_UserVerification_Program/extract repoExtractId:17935 size:13010 (twb) + 1709226 (guid={423E7580-4F13-44FC-8A20-B14A3056FD77}) = 1722236
date_mday = 12 date_month = october date_year = 2017 eventtype = nix-all-logs host = TABLEAU index = main linecount = 1 punct = --::.-(,,,)---_:.....-:/::()+(={ source = D:\Software\Tableau\Tableau Server\data\tabsvc\logs\backgrounder\backgrounder-0.log sourcetype = backgrounder-0.log splunk_server = ip-12-123-1-123 unix_category = all_hosts unix_group = default

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...