https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71149#M180794 <P>Looks like Sorkin also addressed this in:</P> <P><A href="http://answers.splunk.com/questions/12396/dedup-and-multivalued-fields">http://answers.splunk.com/questions/12396/dedup-and-multivalued-fields</A></P> Thu, 31 Mar 2011 00:37:30 GMT hazekamp 2011-03-31T00:37:30Z https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71147#M180792 <P>All,</P> <P>I am trying to remove duplicate values in a list of email addresses. First, I am loading this from a CSV, inside that CSV is a semi-colon delimited list of email recipients. In that list, some of the email recipients are duplicated. Obviously, they only received the email one time, and want that metric. </P> <P>So, I've put together a query to start that looks like this:</P> <PRE><CODE>sourcetype="email" sender="jgauthier*" subject="Specific email" | eval recipientlist=split(recipient, ";") </CODE></PRE> <P>So, my recipientlist now contains the duplicate email addresses. (from recipient, but split up)</P> <P>For one email, it appears that it's gone to the same person twice (since they are in the list twice).</P> <P>I've played with dedup, but it doesn't seem to work in this regard.</P> <P>Thanks for the help.</P> Thu, 31 Mar 2011 00:25:44 GMT https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71147#M180792 jgauthier 2011-03-31T00:25:44Z https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71148#M180793 <P>This is likely caused by the way dedup is behaving with the MV field created by eval-split. Try:</P> <PRE><CODE>sourcetype="email" sender="jgauthier*" subject="Specific email" | eval recipientlist=split(recipient, ";") | stats count by recipientlist | fields - count </CODE></PRE> <P>If you want the "count" just remove "| fields - count" above...</P> Thu, 31 Mar 2011 00:32:17 GMT https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71148#M180793 hazekamp 2011-03-31T00:32:17Z https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71149#M180794 <P>Looks like Sorkin also addressed this in:</P> <P><A href="http://answers.splunk.com/questions/12396/dedup-and-multivalued-fields">http://answers.splunk.com/questions/12396/dedup-and-multivalued-fields</A></P> Thu, 31 Mar 2011 00:37:30 GMT https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71149#M180794 hazekamp 2011-03-31T00:37:30Z https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71150#M180795 <P>I saw Sorkin's thread before I posted and worked with it.<BR /> But neither that effort or the one above seemed to accomplish this. Simply doing "stats count by recipientlist" gives me a count of <X> when the string exists multiple times in the recipientlist. "| fields - count" just gives me the field. Even if I have 100 distinct events, with a field containing duplicate values.<BR /> Thanks!</X></P> Thu, 31 Mar 2011 00:46:57 GMT https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71150#M180795 jgauthier 2011-03-31T00:46:57Z https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71151#M180796 <P>I am not sure why stats is not satisfying the use case of "trying to remove duplicate values...". I tested this locally and if you have:</P> <P>Event 1:<BR /> recipient=a;b;c;c</P> <P>Event 2:<BR /> recipient=x;y;z;a</P> <P>This search:<BR /> index=_internal | head 1 | eval recipient="a;b;c;c" | append [search index=_internal | head 1 | eval recipient="x;y;z;a"] | eval recipientList=split(recipient, ";") | stats count by recipientList</P> <P>Produces:</P> <P>a 2<BR /> b 1<BR /> c 2<BR /> x 1<BR /> y 1<BR /> z 1</P> <P>Which is a consolidate list of email addresses.</P> Mon, 28 Sep 2020 09:26:52 GMT https://community.splunk.com/t5/Splunk-Search/dedup-distinct-similar/m-p/71151#M180796 hazekamp 2020-09-28T09:26:52Z