Hi Community,
I'm using the search query to search for the user activity and I get the results with duplicate rows with the same user with the same time. The time format is as follows: YYYY-DD-MM HH:MM:SS:000. I get the result as following:
USER | TIME
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 09:32:27
abcd | 2020-06-01 09:32:27
abcd | 2020-06-01 09:32:27
----------
The output I desire is:
USER | TIME
abcd | 2020-06-01 08:58:51
abcd | 2020-06-01 09:32:27
----------
Search query I'm using is:
index="uam" User="abcd" | eval access_time=strftime(_time, "%Y-%d-%m %H:%M:%S") | fields "USER" "TIME"
----------
How do I get the unique values, because it seems that Splunk compares the time upto milliseconds.
Can anyone please help me out?
Thanks,
Sid
↧
