https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572092#M199364 <P>I have a tstats query that pulls its data from an accelerated data model. I need to grab only the most up to date host event with the latest IP value. I cannot dedup in the data model root search itself as I need to keep track of _time to get point-in-time results as well.</P><P>Anyways, for the most current point-in-time IP value (right now), dedup is not working as intended. It's showing me the older value.</P><P><STRONG>Query without dedup:</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats latest(_time) as _time FROM datamodel="Host_Info" WHERE nodename="hostinfo" hostname=bobs by hostinfo.hostname hostinfo.ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Results (two values for ip)</P><P>hostninfo.hostname hostinfo.ip _time</P><TABLE><TBODY><TR><TD width="127.9px">bobs</TD><TD width="563.867px">10.10.10.10</TD><TD width="98.7333px">2021-10-22 19:55:03</TD></TR><TR><TD width="127.9px">bobs</TD><TD width="563.867px">33.33.33.33</TD><TD width="98.7333px">2021-10-22 21:23:06</TD></TR></TBODY></TABLE><P><STRONG>Query with dedup:</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats latest(_time) as _time FROM datamodel="Host_Info" WHERE nodename="hostinfo" hostname=bobs by hostinfo.hostname hostinfo.ip | dedup hostname</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Results (<EM>older</EM> value, not newer):</P><P>hostninfo.hostname hostinfo.ip _time</P><TABLE><TBODY><TR><TD width="127.9px">bobs</TD><TD width="563.867px">10.10.10.10</TD><TD width="98.7333px">2021-10-22 19:55:03</TD></TR></TBODY></TABLE><P>Why isn't dedup working correctly? If I dedup the actual indexed data, before it hits the datamodel, it works fine and shows me the latest hostname and IP.</P><P>&nbsp;</P> Fri, 22 Oct 2021 23:09:04 GMT thisissplunk 2021-10-22T23:09:04Z https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572092#M199364 <P>I have a tstats query that pulls its data from an accelerated data model. I need to grab only the most up to date host event with the latest IP value. I cannot dedup in the data model root search itself as I need to keep track of _time to get point-in-time results as well.</P><P>Anyways, for the most current point-in-time IP value (right now), dedup is not working as intended. It's showing me the older value.</P><P><STRONG>Query without dedup:</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats latest(_time) as _time FROM datamodel="Host_Info" WHERE nodename="hostinfo" hostname=bobs by hostinfo.hostname hostinfo.ip</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Results (two values for ip)</P><P>hostninfo.hostname hostinfo.ip _time</P><TABLE><TBODY><TR><TD width="127.9px">bobs</TD><TD width="563.867px">10.10.10.10</TD><TD width="98.7333px">2021-10-22 19:55:03</TD></TR><TR><TD width="127.9px">bobs</TD><TD width="563.867px">33.33.33.33</TD><TD width="98.7333px">2021-10-22 21:23:06</TD></TR></TBODY></TABLE><P><STRONG>Query with dedup:</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats latest(_time) as _time FROM datamodel="Host_Info" WHERE nodename="hostinfo" hostname=bobs by hostinfo.hostname hostinfo.ip | dedup hostname</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Results (<EM>older</EM> value, not newer):</P><P>hostninfo.hostname hostinfo.ip _time</P><TABLE><TBODY><TR><TD width="127.9px">bobs</TD><TD width="563.867px">10.10.10.10</TD><TD width="98.7333px">2021-10-22 19:55:03</TD></TR></TBODY></TABLE><P>Why isn't dedup working correctly? If I dedup the actual indexed data, before it hits the datamodel, it works fine and shows me the latest hostname and IP.</P><P>&nbsp;</P> Fri, 22 Oct 2021 23:09:04 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572092#M199364 thisissplunk 2021-10-22T23:09:04Z https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572093#M199365 <P>I haven't figured out why this is happening but the current workaround is to add a latest(hostname.ip) and removing hostname.ip from the by clause.</P><P>Not sure why latest() understands the timestamps but dedup doesn't. Maybe dedup works off of something else than _time?</P> Fri, 22 Oct 2021 23:16:41 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572093#M199365 thisissplunk 2021-10-22T23:16:41Z https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572101#M199369 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Dedup" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Dedup</A></P><LI-CODE lang="markup"> Events returned by dedup are based on search order. </LI-CODE> Sat, 23 Oct 2021 05:45:05 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572101#M199369 PickleRick 2021-10-23T05:45:05Z https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572102#M199370 <P>Ok. So I'm left wondering why the data coming back from the accelerated data model is out of order.</P> Sat, 23 Oct 2021 07:57:02 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-on-data-model-aftet-tstats-shows-the-older-event-not-the/m-p/572102#M199370 thisissplunk 2021-10-23T07:57:02Z