Re: Removing consecutive events with identical 'na...

merethhe · ‎05-21-2014

I run this search:

... | dedup userId name dt | transaction mvlist=t userId maxpause=900s | where mvindex(id, -1) == "1152921526082717650" | table name, dt

Which creates transactions based on userId that ends with the specified page id, and removes events that are equal in name and timestamp for each user. It gives me a result for instance like this:

A, 19:00:00
B, 19:00:30
C, 19:01:00
C, 19:01:35
B, 19:02:00

What I want to do now, is remove all events that follow an event with the exact same name, that is I want to remove the second "C" event. The problem is, I do NOT want to remove the second "B" event, even though it already occured in the transaction. This means that I can not use dedup on the (name, userId) combination.

Any suggestions?

somesoni2 · ‎05-21-2014

Give this a try

... | dedup userId name dt | transaction mvlist=t userId maxpause=900s | where mvindex(id, -1) == "1152921526082717650" | table name, dt | streamstats current=f window=1 first(name) as prevName | where name != prevName

merethhe · ‎05-22-2014

It did not work. 'prevName' seems to be set as the name of the first event from the previous transaction.

Removing consecutive events with identical 'name' field but different timestamp in a transaction

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...