axisvef.blogg.se - Splunk dedup command

The output of this is to be used for certain audit purposes, and What I've found is that when I extend the search to multiple days (returning > 10,000 events), the output is erratic, and I see results that are out of order, not the most recent, or otherwise askew.

but some clientTypes are not very frequent and we need to see the most recent of those as well.

Now, I've been able to get this working on a smaller scale, say 1 day.

I've starred the records that should end up in the output. While some translation is done before the step I'm asking about, I have the data looking like this as the output of the query (note: due to proprietary reasons I cannot provide the actual steps above this, nor is this real data but I think it should translate OK). (Really it's the top N - but more than "first" or "last") My customer wants to see the top 2 most recent "key" for each clientType. In this example the field name is host-123 and because it contains a dash, it must be enclosed in single quotation marks.I've been struggling with this query for a few hours and it seems that it should be fairly straightforward, but for some reason I'm finding it quite difficult. See the blog Order Up! Custom Sort Orders.ĭifferences between SPL and SPL2 Some field names require single quotation marksįield names that contain anything other than or "_", need single quotation marks. You can specify a custom sort order that overrides the lexicographical order. Other symbols are sorted before or after letters. Some symbols are sorted before numeric values.

Uppercase letters are sorted before lowercase letters.

For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9. Numbers are sorted based on the first digit. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII. Lexicographical order sorts items based on the values used to encode the items in computer memory. This set of values are sorted lexicographically because the values are alphanumeric strings. This set of values are sorted numerically because the values are all numeric. This means that for some pairs of values, the order might be lexicographical, while for other pairs the order might be numerical. The sort order is determined between each pair of values that are compared at any one time.

Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.

Otherwise, strings are sorted lexicographically. If the string starts with a number, the string is sorted numerically based on that number alone.

Alphanumeric strings are sorted based on the data type of the first character.

Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.

Punctuation strings are sorted lexicographically.

Otherwise, the collating sequence is in lexicographical order.

If the field contains IP address values, the collating sequence is for IP addresses. If the field contains numeric values, the collating sequence is numeric. By default, the sort command tries to automatically determine what it is sorting.