Re: Is it possible to dedup by span?

the_wolverine · ‎06-08-2012

I'm try to chart some data using span=1d and was wondering if it possible to dedup data across a timerange with span?

For example, I want to dedup duplicate users in a single day, but I also want those users to show up in previous days when I'm charting over a week.

I'm guessing * | dedup user | timechart span=7d .. would eliminate users from showing up in day 2-7.

I hope that makes sense.

sideview · ‎06-08-2012

* | timechart dc(user) span=7d

where dc means "distinct count of".

This will make timechart count the distinct users per bucket, and since the span argument is setting the bucket size to 7 days, in the end you'll be counting the distinct users in every 7 day period.

sideview · ‎06-09-2012

Probably, but you'll have to tell me more because that pseudo-search-syntax is pretty ambiguous. To take a wild guess and at least tell you something interesting -- you can use the bin command to bucket numeric quantities, and then use stats/chart/timechart to group by those bucketed values. ie "* | bin someNumericField span=100 | stats count over someNumericField" will yield a nice chart with "0-100", "100-200", "200-300" as the x-axis.

the_wolverine · ‎06-09-2012

I'll test this, thank you. Is there a way to chart top(field) limit=X with using a span?

kristian_kolb · ‎06-08-2012

Makes sense. Depending on what you ultimately want out of the logs, something like this could work;

...| stats values(user) by date_wday

or date_mday if that suits you better.

UPDATE:

or rather use;

... earliest=-X latest=-Y | timechart span=1d values(user)

Hope this helps,

Kristian

Is it possible to dedup by span?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases