https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500814#M195100 <P>Our purpose is to get the most recent event with specific fields by "dedup" command in indexer cluster </P> <P>We have read a similar case according to this link, but still confused about the usage of <STRONG>dedup</STRONG>.:<BR /> <A href="https://answers.splunk.com/answers/323510/how-to-keep-all-most-recent-events-for-a-specific.html">https://answers.splunk.com/answers/323510/how-to-keep-all-most-recent-events-for-a-specific.html</A><BR /> The following is our case</P> <P><STRONG>Event sample (index=myIndex)</STRONG><BR /> conditions:<BR /> (1) 1 search-head + 2 indexer instances (we use index cluster)<BR /> (2) each event have one duplicated record (marked "duplicated event")</P> <PRE><CODE>2019-12-04 12:00:00, machine=serverA, result=pass # duplicated event 2019-12-04 12:00:00, machine=serverA, result=pass 2019-12-04 12:00:00, machine=serverB, result=pass # duplicated event 2019-12-04 12:00:00, machine=serverB, result=pass 2019-12-03 12:00:00, machine=serverA, result=fail # duplicated event 2019-12-03 12:00:00, machine=serverA, result=fail 2019-12-03 12:00:00, machine=serverB, result=fail # duplicated event 2019-12-03 12:00:00, machine=serverB, result=fail </CODE></PRE> <P>We want to get the most recent server's result per day, such as</P> <P><STRONG>Taget result</STRONG></P> <PRE><CODE>2019-12-04 12:00:00, machine=serverA, result=pass 2019-12-04 12:00:00, machine=serverB, result=pass 2019-12-03 12:00:00, machine=serverA, result=fail 2019-12-03 12:00:00, machine=serverB, result=fail </CODE></PRE> <P><STRONG>SPL query</STRONG></P> <PRE><CODE>index=myIndex | dedup _time machine </CODE></PRE> <P>Question: <BR /> Does "<STRONG>dedup</STRONG>" command "always" return the most recent events based on the specific fields crossing multiple indexers? </P> <P>According to our case, If we apply the spl query based on our condition, can we always get the target result?</P> Wed, 04 Dec 2019 04:07:10 GMT davidgogogo 2019-12-04T04:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500814#M195100 <P>Our purpose is to get the most recent event with specific fields by "dedup" command in indexer cluster </P> <P>We have read a similar case according to this link, but still confused about the usage of <STRONG>dedup</STRONG>.:<BR /> <A href="https://answers.splunk.com/answers/323510/how-to-keep-all-most-recent-events-for-a-specific.html">https://answers.splunk.com/answers/323510/how-to-keep-all-most-recent-events-for-a-specific.html</A><BR /> The following is our case</P> <P><STRONG>Event sample (index=myIndex)</STRONG><BR /> conditions:<BR /> (1) 1 search-head + 2 indexer instances (we use index cluster)<BR /> (2) each event have one duplicated record (marked "duplicated event")</P> <PRE><CODE>2019-12-04 12:00:00, machine=serverA, result=pass # duplicated event 2019-12-04 12:00:00, machine=serverA, result=pass 2019-12-04 12:00:00, machine=serverB, result=pass # duplicated event 2019-12-04 12:00:00, machine=serverB, result=pass 2019-12-03 12:00:00, machine=serverA, result=fail # duplicated event 2019-12-03 12:00:00, machine=serverA, result=fail 2019-12-03 12:00:00, machine=serverB, result=fail # duplicated event 2019-12-03 12:00:00, machine=serverB, result=fail </CODE></PRE> <P>We want to get the most recent server's result per day, such as</P> <P><STRONG>Taget result</STRONG></P> <PRE><CODE>2019-12-04 12:00:00, machine=serverA, result=pass 2019-12-04 12:00:00, machine=serverB, result=pass 2019-12-03 12:00:00, machine=serverA, result=fail 2019-12-03 12:00:00, machine=serverB, result=fail </CODE></PRE> <P><STRONG>SPL query</STRONG></P> <PRE><CODE>index=myIndex | dedup _time machine </CODE></PRE> <P>Question: <BR /> Does "<STRONG>dedup</STRONG>" command "always" return the most recent events based on the specific fields crossing multiple indexers? </P> <P>According to our case, If we apply the spl query based on our condition, can we always get the target result?</P> Wed, 04 Dec 2019 04:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500814#M195100 davidgogogo 2019-12-04T04:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500815#M195101 <P><CODE>dedup</CODE> "removes the events that contain an identical combination of values for the fields that you specify", so as long as all of the logs are being pulled in to your searchhead from all of the indexers (which it looks like from your query results that they are), then yes, it will grab just one of them since you've specified those two fields. "Events returned by dedup are based on search order. For historical searches, the most recent events are searched first." So without a sort, it will just go in descending _time order, as that is the default for how Splunk reads in logs for historical (time based) searches. You can sort by _time or other fields as well with <CODE>dedup</CODE> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/dedup#Optional_arguments" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/dedup#Optional_arguments</A></P> <P><CODE>dedup _time machine sortby -_time</CODE> </P> <P>This doesn't make a ton of sense in this case because you're already specifying _time as a field to dedup on but a thought for the future. That being said, you can also leverage the <CODE>stats</CODE> command, as this will give you more control over what exactly you want to be passed through, and with less fuzziness on what Splunk chose to dedup. Example:</P> <P><CODE>stats values(result) by _time, machine</CODE></P> <P>will return the unique set of results for each _time/machine pairing. I prefer this because it's very clear exactly what you're doing, and you can also more easily compare by switching <CODE>values</CODE> to <CODE>list</CODE> to see what is duplicated!</P> <P>Hope this helps.</P> Wed, 30 Sep 2020 03:15:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500815#M195101 aberkow 2020-09-30T03:15:15Z https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500816#M195102 <P>Thanks for your answer! it's really helpful.</P> <P>We have considered using <CODE>stats</CODE> before, but there were two reasons why we use <CODE>dedup</CODE> rather than <CODE>stats</CODE> </P> <P><STRONG>performance aspect</STRONG><BR /> if <CODE>dedup</CODE> command only searchs the first matching event, does that mean the performance will be much better than <CODE>stats</CODE>?</P> <P><STRONG>query complexity</STRONG></P> <P>if we have to deal with many fields, such as </P> <PRE><CODE>2019-12-04 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 2019-12-04 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 2019-12-03 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 2019-12-03 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 </CODE></PRE> <P>we can just use a very simple query to get the most recent result per day per machine<BR /> <CODE>| dedup _time machine</CODE> </P> <PRE><CODE>2019-12-04 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 2019-12-03 12:00:00, machine=A, field1=x1 field2=x2 field2=x2 field3=x3......field100=x100 </CODE></PRE> <P>on the other hand, it will be more complected if we use <CODE>stats</CODE> to deal with each field, such as <BR /> <CODE>|stats latest(field1), latest(field2)... by _time machine</CODE></P> <P>I'm not sure our consideration making sense or not, do you have any advice for this case?</P> Thu, 05 Dec 2019 09:51:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-most-recent-event-with-specific-fields-by-quot/m-p/500816#M195102 davidgogogo 2019-12-05T09:51:11Z