https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643996#M79177 <P>You mentioned in your description that you want to use dedup on user field.</P><P>If you check the data given, the first and second row have different field values for user: - abc, abc1.</P><P>In your actual dataset, are two values different or are they same?</P> Sat, 20 May 2023 03:04:15 GMT Taruchit 2023-05-20T03:04:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643990#M79174 <P>I am new and learning splunk, I have a 2 events like below with same event type.&nbsp;<BR /><BR /></P><P>name='name1', user='abc', type='type1', other-fields &nbsp; &nbsp; : latest event</P><P>name='name1', user='abc1', type='type1', other-fields &nbsp;: past event</P><P>name='name2', user='def', type='type2', other-fields &nbsp; &nbsp;&nbsp;</P><P>&nbsp;</P><P>I want to dedup based on user field, but the dedup value changes but all other fields remain same. In this case I want to match fields name &amp; type between first 2 events and pick up the latest one.&nbsp;</P><P>My final filtered events should be:</P><P>name='xyz', user='abc', type='new', other-fields</P><P>name='name2', user='def', type='type2', other-fields</P><P>&nbsp;</P><P>Any suggestions?</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 20 May 2023 00:35:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643990#M79174 kashtech 2023-05-20T00:35:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643994#M79175 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256954">@kashtech</a>,</P><P>Your dataset's field values and the expected output field values are not seeming to be in sync.</P><P>For example: -&nbsp;</P><P>Dataset that you shared: -</P><P>name='name1', user='abc', type='type1', other-fields &nbsp; &nbsp; : latest event</P><P>name='name1', user='abc1', type='type1', other-fields &nbsp;: past event</P><P>name='name2', user='def', type='type2', other-fields &nbsp; &nbsp;&nbsp;</P><P>Here, the two distinct values for field "type" are: - type1 and type2.</P><P>&nbsp;</P><P>However, in your expected result, the value of field "type" is new.</P><P>name='xyz', user='abc', type='new', other-fields</P><P>name='name2', user='def', type='type2', other-fields</P><P>&nbsp;</P><P>Thus, for clarity it would be helpful if you could share the dataset: -</P><P>1. in tabular format</P><P>2. in sync between input and expected output.</P><P>&nbsp;</P><P>Thank you</P> Sat, 20 May 2023 02:59:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643994#M79175 Taruchit 2023-05-20T02:59:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643995#M79176 <P>Oh! sorry for the typo, my expected output:</P><P>name='xyz', user='abc', type='type1', other-fields</P><P>name='name2', user='def', type='type2', other-fields</P> Sat, 20 May 2023 03:01:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643995#M79176 kashtech 2023-05-20T03:01:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643996#M79177 <P>You mentioned in your description that you want to use dedup on user field.</P><P>If you check the data given, the first and second row have different field values for user: - abc, abc1.</P><P>In your actual dataset, are two values different or are they same?</P> Sat, 20 May 2023 03:04:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/643996#M79177 Taruchit 2023-05-20T03:04:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/644001#M79178 <P>This is not possible given the provided information - there is no provided logical relationship between your dummy data and the expected output.</P><P>Please provide more accurate representations of your events, the expected output and&nbsp; the logical relationship between them.</P> Sat, 20 May 2023 05:57:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/644001#M79178 ITWhisperer 2023-05-20T05:57:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/644025#M79180 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256954">@kashtech</a>,</P><P>did you tried with the last option in stats?</P><LI-CODE lang="markup">&lt;your_search&gt; | stats last(name) AS name last(type) AS type last(other-fields) AS other-fields BY user</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Sun, 21 May 2023 05:44:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-dedup-based-on-other-fields-conditions/m-p/644025#M79180 gcusello 2023-05-21T05:44:31Z