How to decrease the count for everr search that is...

santohang · ‎01-22-2018

I'm trying to remove duplicates log from the search result every time the page is refreshed.
eg
index=main "Entered into page B"

The possibility here is, this message will be printed when navigating from page A to page B.
This will be printed again everytime the page refreshes.
So, I have a separate log that looks something like this "page is refreshed".
I do know | dedup function will be able to remove the duplicate but this will not be suitable for use here since the "Entered into page B" may also be true if navigating from page C to Page B.

How can I utilize the "Page is refreshed" log to only return one result for every time the "page is refreshed" is true ?

Thank you in advance

niketn · ‎01-22-2018

@santohang, can you add samples for all events you are talking about? Is there any information in the log that you can identify whether the source was page A or page C?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nickhills · ‎01-23-2018

I was going to say something similar - if you have the referrer you can dedup by "page" and "referrer" '|dedup page referrer|` this would give you a record of each page load and the previous page. Where this approach falls down, if if someone goes a->b. b->c. c->a. and then a->b. as it will only show the last occurrence.
Another alternative is to exclude results where the 'hits' where the referrer matches the page (but this depends on the way your server logic is configured)

If my comment helps, please give it a thumbs up!

mayurr98 · ‎01-22-2018

can you try | stats latest(_raw)

How to decrease the count for everr search that is true

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!