Logscape Support

timidri · Newbie

How to do Splunk dedup with Logscape?

ZG · Veteran Member

Hi timidri,

You can use the countUnique function. Update your search to look something like this:

ID.countUnique(user,)

This will count all the unique ids for each user. You have a few options on how you may want to represent the data.

You could use a simple time series view or

| ID.countUnique(user,) chart(stacked )

a tabular view to view the results.

| ID.countUnique(user,) chart(table) buckets(1)

ZG

Date: May 5, 2014

Hi Z,

Thanks for your reply. I have tried and I think the table results are promising. However, the stacked chart is useless I think - the chart does not change over time. Is that correct?

Also, examples for countUnique() at http://logscape.github.io/searching-functions.html don't really mention countUnique itself, maybe needing an update?

Thanks,

Dimitri

timidri · Newbie

Hi Z,

A correction to my own post (forgot to login so the post became anonymous):

- the stacked chart does work BUT

- ID.countUnique(user,) should be ID.countUnique(user). If you put a comma behind user, the chart becomes like so: http://screencast.com/t/0eYLScKQ5gDl . Any ideas why?

Anonymous wrote:

Thanks for your reply. I have tried and I think the table results are promising. However, the stacked chart is useless I think - the chart does not change over time. Is that correct?
Also, examples for countUnique() at http://logscape.github.io/searching-functions.html don't really mention countUnique itself, maybe needing an update?
Thanks,
Dimitri