topic Re: removing duplicate with maximum value in Splunk Search

removing duplicate with maximum value

RanjiRaje — Tue, 17 Sep 2024 14:16:19 GMT

Hi All, Can anyone please help me on this ...

I am framing a SPL query to get list of hosts with their last eventtime.

SPL query:

| tstats max(_time) as latest where index=indexname by host | convert ctime(latest)

From this query, I am getting the list as expected, but with one bug. (If I have a host both in lower case & in upper case, I am getting 2 different entries)

Eg: host latest

HOSTNAME1 09/17/2024 15:27:49

hostname1 08/30/2024 15:27:00

hostname2 09/15/2024 15:27:49

HOSTNAME2 09/13/2024 15:27:49

From here, I have to get only one entry for a host along with latest time. (For hostname1, I should get 09/17/2024 15:27:49, similarly for hostname2 I should get 09/15/2024 15:27:49)

I tried adding the command,

| eval host=upper(host), latest=max(latest) | dedup host

But it is not considering max of "latest", and it just showing the single row for each host with random value of "latest"

Can you please suggest me the better way to achieve this. thanks

Re: removing duplicate with maximum value

gcusello — Tue, 17 Sep 2024 13:47:12 GMT

Hi @RanjiRaje ,

please try this:

| tstats max(_time) as latest where index=indexname by host | eval host=upper(host) | stats max(latest) AS latest BY host | convert ctime(latest)

Ciao.

Giuseppe

Re: removing duplicate with maximum value

PickleRick — Tue, 17 Sep 2024 14:10:22 GMT

You generally thought well but you have to cast your hostname to lowercase (or uppercase; doesn't matter as long as it's consistent) _before_ you do your stats.

EDIT: I didn't notice it started with tstats. Of course in this case @gcusello 's solution is the way to go.

Re: removing duplicate with maximum value

RanjiRaje — Tue, 17 Sep 2024 16:02:57 GMT

thanks sir 🙂

I was thinking something complex, but you made it very simple.