Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to identify how many times that same timestamp is occured .....

dilstn
Explorer
‎03-28-2013 03:54 AM

I have logs in which some events occured twice in same timestamp.......so i need to identify and eliminate those repeated timestamp alone.... I found that with dedup it provide once occurence of timestamp... but i need to eliminated repeated timestamps alone .....

For example .,,,.. these are the fields obtained by using regex ...Fields--> Date & CountryCode

Date CountryCode
Mar 28, 2013 5:42:30 AM AUS
Mar 28, 2013 5:42:30 AM AUS
Mar 28, 2013 5:50:21 AM PAK
Mar 28, 2013 5:57:14 AM USA
Mar 28, 2013 5:59:45 AM SGP
. .
. .
. .

So here i need to eliminate repeated timestamp... here the first two field values are repeated....
So it must be eliminated......

The result should be like this......

Date CountryCode

Mar 28, 2013 5:50:21 AM PAK
Mar 28, 2013 5:57:14 AM USA
Mar 28, 2013 5:59:45 AM SGP
.

So the repeated timestamp should be avoided .... Can u guide me .....plz...............

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2013 04:43 AM

So... you want to drop any row where the timestamp occurs more than once? Try this:

... | eventstats count by _time | where count=1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

BobM
Builder
‎03-28-2013 09:41 AM

Splunk has a dedup command to remove duplicates. You just mention the fields to compare and it will keep only the first it detects.

... | dedup Date, CountryCode

Bob

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-28-2013 04:46 AM

So you want to remove all of the results for the duplicated events, not just the extras, right?

Assuming there are fields called Date and CountryCode;

...| stats c(CountryCode) as count first(CountryCode) as CountryCode by Date | where count < 2 | fields - count

/K

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2013 04:43 AM

So... you want to drop any row where the timestamp occurs more than once? Try this:

... | eventstats count by _time | where count=1
0 Karma
Reply
Solved! Jump to solution

dilstn
Explorer
‎03-28-2013 06:41 AM

you are really rocking man !!! . It worked finally ...thank U

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2013 05:20 AM

If that's what he wants he can do an eventstats count by _time CountryCode to eliminate that risk.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-28-2013 04:49 AM

there's a risk that two events with different CountryCodes may happen in the same second..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...