https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332894#M164453 <P>You will need to create a search which <EM>finds</EM> your duplicated data, and returns all but the last copy (or first - depending on your needs).<BR /> Once you are happy your search correctly identifies ONLY the duplicated events you can pipe the results to <CODE>|delete</CODE> which will <STRONG><EM>remove</EM></STRONG> the data from the indexes.<BR /><BR /> <EM>You will need to be a user with 'can delete' permissions - no user has this be default (not even admin) so you may need to add this capability to your user first - its also a good idea to remove this capability when you have finished to prevent accidents! (been there)</EM></P> <P>Its worth noting that this will <STRONG>not</STRONG> remove the data from disk - it simply marks it as deleted in the buckets, so it wont be returned in future searches</P> Mon, 11 Dec 2017 08:49:50 GMT nickhills 2017-12-11T08:49:50Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332893#M164452 <P>I do have many data including duplicate data , and i want to remove duplicate data from the index , without using the ""DEDUP" command since it only remove the event on SEARCH not in INDEX , can somebody help me ?</P> Mon, 11 Dec 2017 03:07:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332893#M164452 jadengoho 2017-12-11T03:07:44Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332894#M164453 <P>You will need to create a search which <EM>finds</EM> your duplicated data, and returns all but the last copy (or first - depending on your needs).<BR /> Once you are happy your search correctly identifies ONLY the duplicated events you can pipe the results to <CODE>|delete</CODE> which will <STRONG><EM>remove</EM></STRONG> the data from the indexes.<BR /><BR /> <EM>You will need to be a user with 'can delete' permissions - no user has this be default (not even admin) so you may need to add this capability to your user first - its also a good idea to remove this capability when you have finished to prevent accidents! (been there)</EM></P> <P>Its worth noting that this will <STRONG>not</STRONG> remove the data from disk - it simply marks it as deleted in the buckets, so it wont be returned in future searches</P> Mon, 11 Dec 2017 08:49:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332894#M164453 nickhills 2017-12-11T08:49:50Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332895#M164454 <P>@jadengoho, are these duplicates old or your data will keep on having duplicate data in future as well? If there will be duplicates, what is the source/cause/frequency of duplicate data?</P> Mon, 11 Dec 2017 08:55:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332895#M164454 niketn 2017-12-11T08:55:27Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332896#M164455 <P>it is a daily logs data , so duplicate data is a problem , cause they are just stacking .</P> Mon, 11 Dec 2017 08:57:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332896#M164455 jadengoho 2017-12-11T08:57:29Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332897#M164456 <P>If you can fix data while ingestion that would be best. Else you can run a daily scheduled search (to run after data is ingested), which will list all daily data with dedup and push it to separate index. </P> <P>Refer to Splunk Documentation: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect#Moving_events_to_a_different_index">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect#Moving_events_to_a_different_index</A></P> <P>PS: <BR /> You can use <CODE>collect</CODE> command to do this, however, to me seems overhead unless fixed prior to indexing. <BR /> You can also think of scripted input to do this in case there are no other means of preventing duplicated events from being indexed.<BR /> Using collect command if you define <CODE>sourcetype</CODE> other than <CODE>stash</CODE>, it will count against your license.</P> Mon, 11 Dec 2017 10:00:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332897#M164456 niketn 2017-12-11T10:00:53Z https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332898#M164457 <P>I have the same problem, do I need to use a script to fix this issue? If yes, what kind of script should I use?</P> Tue, 12 Dec 2017 01:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-remove-duplicate-events-in-INDEX-not-on-Search/m-p/332898#M164457 mjlsnombrado 2017-12-12T01:49:57Z